Event ID: 4794

An attempt was made to set the Directory Services Restore Mode administrator password

An attempt was made to set the Directory Services Restore Mode
administrator password.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Additional Information:
    Caller Workstation: %5
    Status Code:        %6
Microsoft Documentation

Event ID - 4794



This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.

This event generates only on domain controllers.



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %2 Any dadmin
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x36f67
Caller Workstation Workstation %5 Any DC01
Status Code Status %6 Any 0x0


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List