Event ID: 4739

Domain Policy was changed

Domain Policy was changed.

Change Type:            %1 modified

    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

    Domain Name:        %2
    Domain ID:          %3

Changed Attributes:
    Min. Password Age:  %9
    Max. Password Age:  %10
    Force Logoff:       %11
    Lockout Threshold:  %12
    Lockout Observation Window: %13
    Lockout Duration:           %14
    Password Properties:        %15
    Min. Password Length:       %16
    Password History Length:    %17
    Machine Account Quota:      %18
    Mixed Domain Mode:          %19
    Domain Behavior Version:    %20
    OEM Information:            %21

Additional Information:
    Privileges:                 %8

Generates when one of the following changes was made to local computer security policy:

  • Computer’s Security Settings\Account Policies\Account Lockout Policy settings were modified.

  • Computer's Security Settings\Account Policies\Password Policy settings were modified.

  • Network security: Force logoff when logon hours expire group policy setting was changed.

  • Domain functional level was changed or some other attributes such as "Mixed Domain Mode", "Domain Behavior Version", or "Machine Account Quota" changed.

Auditing:     Always

Domain policy changes potentially affect security settings of the entire domain and should therefore always be audited.

Volume:     Low

ISO 27001:2013 A.9.4.2
NIST 800-171: 3.1.8
NIST SP 800-53: AC-7

Microsoft Documentation

Event ID - 4739

Name Field Insertion String OS Example
Change Type DomainPolicyChanged %1 Any Password Policy
Domain Name DomainName %2 Any DOMAIN
Domain ID DomainSid %3 Any DOMAIN\
Security ID SubjectUserSid %4 Any SYSTEM
Account Name SubjectUserName %5 Any DC01$
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x3e7
Privileges PrivilegeList %8 Any -
Min. Password Age MinPasswordAge %9 Any -
Max. Password Age MaxPasswordAge %10 Any -
Force Logoff ForceLogoff %11 Any -
Lockout Threshold LockoutThreshold %12 Any 5
Lockout Observation Window LockoutObservationWindow %13 Any -
Lockout Duration LockoutDuration %14 Any -
Password Properties PasswordProperties %15 Any -
Min. Password Length MinPasswordLength %16 Any -
Password History Length PasswordHistoryLength %17 Any 10
Machine Account Quota MachineAccountQuota %18 Any -
Mixed Domain Mode MixedDomainMode %19 Any -
Domain Behavior Version DomainBehaviorVersion %20 Any -
OEM Information OemInformation %21 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Authentication Policy Change"

LEFT/RIGHT arrow keys for navigation

Back to List