Event ID 4793

The Password Policy Checking API was called

The Password Policy Checking API was called.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Additional Information:
    Caller Workstation:                      %5
    Provided Account Name (unauthenticated): %6
    Status Code:                             %7

This event generates each time the Password Policy Checking API is called.

The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.

This event, for example, generates during Directory Services Restore Mode (DSRM) account password reset procedure to check new DSRM password.

This event generates on the computer where Password Policy Checking API was called.

Note that starting with Microsoft SQL Server 2005, the “SQL Server password policy” feature can generate many 4793 events on a SQL Server.

Auditing: Always

Audit this event on domain controllers to identify unauthorized use of the RetrieveEncryptedSourcePasswords function.

Volume: Low

Microsoft Documentation

Event ID - 4793

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	DOMAIN\TheAdmin
Account Name	SubjectUserName	%2	Any	TheAdmin
Account Domain	SubjectDomainName	%3	Any	DOMAIN
Logon ID	SubjectLogonId	%4	Any	0x36f67
Caller Workstation	Workstation	%5	Any	ComputerName
Provided Account Name (unauthenticated)	TargetUserName	%6	Any	-
Status Code	Status	%7	Any	0x0

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Other Account Management Events"

How to enable Windows Auditing

Recommended Audit Policy

LEFT/RIGHT arrow keys for navigation

Back to List

Event ID 4793

Lookup Audit Policy Configuration Settings

Operating Systems:

Tags:

Audit Category:

Audit Subcategory: