Event ID 4705

A user right was removed 

A user right was removed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Target Account:
    Account Name:       %5

Removed Right:
    User Right:         %6


Generates every time the local user right policy is changed and user right was removed from an account.

ISO 27001:2013 A.9.2.5
NIST 800-171: 3.1.1
NIST 800-171: 3.1.2
NIST 800-171: 3.3.8
NIST 800-171: 3.3.9
NIST SP 800-53: AC-2
NIST SP 800-53: AC-6 (7)
CMMC v2 L1: AC.L1-3.1.1
CMMC v2 L1: AC.L1-3.1.2
CMMC v2 L2: AU.L2-3.3.8
CMMC v2 L2: AU.L2-3.3.9


Microsoft Documentation

Event ID - 4705



Name Field Insertion String OS Example
SubjectUserSid Security ID %1 Any S-1-5-18
Account Name SubjectUserName %2 Any DC05$
Account Domain SubjectDomainName %3 Any MYDOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Account Name TargetSid %5 Any MYDOMAIN\JohnDoe
User Right PrivilegeList %6 Any View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Authorization Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2019 Windows 2008 Windows 2012 Windows 8 Windows 8.1 Windows 2022

Tags:
ISO 27001:2013 NIST 800-171 NIST SP 800-53 Audit Success CMMC L1 CMMC L3
Audit Category:
Policy Change

Audit Subcategory:
Authorization Policy Change
Legacy Events:
609

Correlated Events:
4624

LEFT/RIGHT arrow keys for navigation

Back to List