Event ID: 4794An attempt was made to set the Directory Services Restore Mode administrator password
An attempt was made to set the Directory Services Restore Mode administrator password. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Additional Information: Caller Workstation: %5 Status Code: %6
This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.
This event generates only on domain controllers.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User Account Management"
LEFT/RIGHT arrow keys for navigationBack to List