Event ID: 4793

The Password Policy Checking API was called

The Password Policy Checking API was called.

    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Additional Information:
    Caller Workstation:                      %5
    Provided Account Name (unauthenticated): %6
    Status Code:                             %7

This event generates each time the Password Policy Checking API is called.

The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.

This event, for example, generates during Directory Services Restore Mode (DSRM) account password reset procedure to check new DSRM password.

This event generates on the computer where Password Policy Checking API was called.

Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.

Auditing:     Always

Audit this event on domain controllers to identify unauthorized use of the RetrieveEncryptedSourcePasswords function.

Volume:     Low

Microsoft Documentation

Event ID - 4793

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\TheAdmin
Account Name SubjectUserName %2 Any TheAdmin
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x36f67
Caller Workstation Workstation %5 Any ComputerName
Provided Account Name (unauthenticated) TargetUserName %6 Any -
Status Code Status %7 Any 0x0

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Account Management Events"

LEFT/RIGHT arrow keys for navigation

Back to List