Event ID: 4794

An attempt was made to set the Directory Services Restore Mode administrator password 

An attempt was made to set the Directory Services Restore Mode
administrator password.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Additional Information:
    Caller Workstation: %5
    Status Code:        %6


This event generates every time Directory Services Restore Mode (DSRM) administrator password is changed.

This event generates only on domain controllers.

Auditing:     Always


Microsoft Documentation

Event ID - 4794



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %2 Any dadmin
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x36f67
Caller Workstation Workstation %5 Any DC01
Status Code Status %6 Any 0x0

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2008 Windows 2012 Windows 2019 Windows 2022

Tags:
Domain Controller Audit Success Audit Failure
Audit Category:
Account Management

Audit Subcategory:
User Account Management

LEFT/RIGHT arrow keys for navigation

Back to List