Event ID: 4739Domain Policy was changed
Domain Policy was changed. Change Type: %1 modified Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Domain: Domain Name: %2 Domain ID: %3 Changed Attributes: Min. Password Age: %9 Max. Password Age: %10 Force Logoff: %11 Lockout Threshold: %12 Lockout Observation Window: %13 Lockout Duration: %14 Password Properties: %15 Min. Password Length: %16 Password History Length: %17 Machine Account Quota: %18 Mixed Domain Mode: %19 Domain Behavior Version: %20 OEM Information: %21 Additional Information: Privileges: %8
Generates when one of the following changes was made to local computer security policy:
Computer’s Security Settings\Account Policies\Account Lockout Policy settings were modified.
Computer's Security Settings\Account Policies\Password Policy settings were modified.
Network security: Force logoff when logon hours expire group policy setting was changed.
Domain functional level was changed or some other attributes such as "Mixed Domain Mode", "Domain Behavior Version", or "Machine Account Quota" changed.
Domain policy changes potentially affect security settings of the entire domain and should therefore always be audited.
ISO 27001:2013 A.9.4.2
NIST 800-171: 3.1.8
NIST SP 800-53: AC-7
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Authentication Policy Change"
LEFT/RIGHT arrow keys for navigationBack to List