Event ID 4739
Domain Policy was changed
Domain Policy was changed.
Change Type: %1 modified
Subject:
Security ID: %4
Account Name: %5
Account Domain: %6
Logon ID: %7
Domain:
Domain Name: %2
Domain ID: %3
Changed Attributes:
Min. Password Age: %9
Max. Password Age: %10
Force Logoff: %11
Lockout Threshold: %12
Lockout Observation Window: %13
Lockout Duration: %14
Password Properties: %15
Min. Password Length: %16
Password History Length: %17
Machine Account Quota: %18
Mixed Domain Mode: %19
Domain Behavior Version: %20
OEM Information: %21
Additional Information:
Privileges: %8
Generates when one of the following changes was made to local computer security policy:
Computer’s Security Settings\Account Policies\Account Lockout Policy settings were modified.
Computer's Security Settings\Account Policies\Password Policy settings were modified.
Network security: Force logoff when logon hours expire group policy setting was changed.
Domain functional level was changed or some other attributes such as "Mixed Domain Mode", "Domain Behavior Version", or "Machine Account Quota" changed.
Auditing:
Always
Domain policy changes potentially affect security settings of the entire domain and should therefore always be audited.
ISO 27001:2013 A.9.4.2
NIST 800-171: 3.1.8
NIST SP 800-53: AC-7
CMMC v2 L2: AC.L2-3.1.8
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Change Type |
DomainPolicyChanged |
%1 |
Any |
Password Policy
|
|
|
Domain Name |
DomainName |
%2 |
Any |
DOMAIN
|
|
|
Domain ID |
DomainSid |
%3 |
Any |
DOMAIN\
|
|
|
Security ID |
SubjectUserSid |
%4 |
Any |
SYSTEM
|
|
|
Account Name |
SubjectUserName |
%5 |
Any |
DC01$
|
|
|
Account Domain |
SubjectDomainName |
%6 |
Any |
DOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%7 |
Any |
0x3e7
|
|
|
Privileges |
PrivilegeList |
%8 |
Any |
-
|
|
|
Min. Password Age |
MinPasswordAge |
%9 |
Any |
-
|
|
|
Max. Password Age |
MaxPasswordAge |
%10 |
Any |
-
|
|
|
Force Logoff |
ForceLogoff |
%11 |
Any |
-
|
|
|
Lockout Threshold |
LockoutThreshold |
%12 |
Any |
5
|
|
|
Lockout Observation Window |
LockoutObservationWindow |
%13 |
Any |
-
|
|
|
Lockout Duration |
LockoutDuration |
%14 |
Any |
-
|
|
|
Password Properties |
PasswordProperties |
%15 |
Any |
-
|
|
|
Min. Password Length |
MinPasswordLength |
%16 |
Any |
-
|
|
|
Password History Length |
PasswordHistoryLength |
%17 |
Any |
10
|
|
|
Machine Account Quota |
MachineAccountQuota |
%18 |
Any |
-
|
|
|
Mixed Domain Mode |
MixedDomainMode |
%19 |
Any |
-
|
|
|
Domain Behavior Version |
DomainBehaviorVersion |
%20 |
Any |
-
|
|
|
OEM Information |
OemInformation |
%21 |
Any |
-
|
The type of change which was made.
"-" indicates the "Machine Account Quota" (ms-DS-MachineAccountQuota) domain attribute was modified.
The name of the domain for which policy changes were made.
The SID of the domain for which policy changes were made. Event Viewer automatically tries to resolve SIDs and show the account name.
The account that made a change to specific local policy.
The name of the account that made a change to specific local policy.
The Security ID subject’s domain or computer name.
The list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.
“\Security Settings\Account Policies\Password Policy\Minimum password age” group policy. Numeric value.
“\Security Settings\Account Policies\Password Policy\Maximum password age” group policy. Numeric value.
“\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire” group policy.
“\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold” group policy. Numeric value.
“\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after” group policy. Numeric value.
“\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration” group policy. Numeric value.
Possible set values are 0, 1, 16, or 17.
“\Security Settings\Account Policies\Password Policy\Minimum password length” group policy. Numeric value.
“\Security Settings\Account Policies\Password Policy\Enforce password history” group policy. Numeric value.
ms-DS-MachineAccountQuota domain attribute was modified. Numeric value.
msDS-Behavior-Version domain attribute was modified. Numeric value
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Authentication Policy Change"
LEFT/RIGHT arrow keys for navigation
Back to List