Event ID: 4739

Domain Policy was changed

Domain Policy was changed.

Change Type:            %1 modified

    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

    Domain Name:        %2
    Domain ID:          %3

Changed Attributes:
    Min. Password Age:  %9
    Max. Password Age:  %10
    Force Logoff:       %11
    Lockout Threshold:  %12
    Lockout Observation Window: %13
    Lockout Duration:           %14
    Password Properties:        %15
    Min. Password Length:       %16
    Password History Length:    %17
    Machine Account Quota:      %18
    Mixed Domain Mode:          %19
    Domain Behavior Version:    %20
    OEM Information:            %21

Additional Information:
    Privileges:                 %8

Generates when one of the following changes was made to local computer security policy:

  • Computer’s Security Settings\Account Policies\Account Lockout Policy settings were modified.

  • Computer's Security Settings\Account Policies\Password Policy settings were modified.

  • Network security: Force logoff when logon hours expire group policy setting was changed.

  • Domain functional level was changed or some other attributes changed (see details in event description).

Auditing:     Always

Domain policy changes potentially affect security settings of the entire domain and should therefore always be audited.

Volume:     Low

ISO 27001:2013 A.9.4.2
NIST 800-171: 3.1.8
NIST SP 800-53: AC-7

Microsoft Documentation

Event ID - 4739

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Authentication Policy Change"

LEFT/RIGHT arrow keys for navigation

Back to List