Event ID: 4819

Central Access Policies on the machine have been changed

Central Access Policies on the machine have been changed.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:       %4

    Object Server:      %5
    Object Type:        %6

CAPs Added:%7

CAPs Deleted:%8

CAPs Modified:%9

CAPs As-Is:%10

This event generates when Central Access Policy on the machine have been changed.

For example, it generates when a new Central Access Policy was applied to the machine via Group Policy.

Auditing:     Always

Volume:     Low

Microsoft Documentation

Event ID - 4819

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SYSTEM
Account Name SubjectUserName %2 Any DC05$
Account Domain SubjectDomainName %3 Any MYDOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Object Server ObjectServer %5 Any LSA
Object Type ObjectType %6 Any Central Access Policies
CAPs Added AddedCAPs %7 Any Main Policy
CAPs Deleted DeletedCAPs %8 Any
CAPs Modified ModifiedCAPs %9 Any
CAPs As-Is AsIsCAPs %10 Any

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Policy Change Events"

LEFT/RIGHT arrow keys for navigation

Back to List