Event ID: 4705

A user right was removed

A user right was removed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:       %4

Target Account:
    Account Name:       %5

Removed Right:
    User Right:     %6

Generates every time the local user right policy is changed and user right was removed from an account.

ISO 27001:2013 A.9.2.5
NIST 800-171: 3.1.1
NIST 800-171: 3.1.2
NIST 800-171: 3.3.8
NIST 800-171: 3.3.9
NIST SP 800-53: AC-2
NIST SP 800-53: AC-6 (7)
CMMC L1
CMMC L3

Microsoft Documentation

Event ID - 4705

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Authorization Policy Change"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2019

Tags:

ISO 27001:2013 NIST 800-171 NIST SP 800-53 Audit Success CMMC L1 CMMC L3

Audit Category:

Policy Change

Audit Subcategory:

Authorization Policy Change

Legacy Events:

609

LEFT/RIGHT arrow keys for navigation

Back to List