Event ID: 4794

An attempt was made to set the Directory Services Restore Mode administrator password

An attempt was made to set the Directory Services Restore Mode
administrator password.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Additional Information:
    Caller Workstation: %5
    Status Code:        %6


This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.

This event generates only on domain controllers.

Microsoft Documentation

Event ID - 4794



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %2 Any dadmin
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x36f67
Caller Workstation Workstation %5 Any DC01
Status Code Status %6 Any 0x0


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"



LEFT/RIGHT arrow keys for navigation

Back to List