Event ID 4703

A token right was adjusted

A token right was adjusted.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Target Account:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Process Information:
    Process ID:         %10
    Process Name:       %9

Enabled Privileges:
            %11

Disabled Privileges:
            %12


To view the current privileges held by a user's token run whoami /priv.

Microsoft Documentation

Event ID - 4703



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAINA\UserA
Account Name SubjectUserName %2 Any UserA
Account Domain SubjectDomainName %3 Any DOMAINA
Logon ID SubjectLogonId %4 Any 0x3e7
Security ID TargetUserSid %5 Any DOMAINA\UserC
Account Name TargetUserName %6 Any UserC
Account Domain TargetDomainName %7 Any DOMAINA
Logon ID TargetLogonId %8 Any 0x3e7
Process Name ProcessName %9 Any C:\Windows\System32\svchost.exe
Process ID ProcessId %10 Any 0x278
Enabled Privileges EnabledPrivilegeList %11 Any View Codes
Disabled Privileges DisabledPrivilegeList %12 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Authorization Policy Change"


Audit Category:
Policy Change

Audit Subcategory:
Authorization Policy Change

LEFT/RIGHT arrow keys for navigation

Back to List