Event ID 4819
Central Access Policies on the machine have been changed
Central Access Policies on the machine have been changed.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Object:
Object Server: %5
Object Type: %6
CAPs Added:%7
CAPs Deleted:%8
CAPs Modified:%9
CAPs As-Is:%10
This event generates when Central Access Policy on the machine have been changed.
For example, it generates when a new Central Access Policy was applied to the machine via Group Policy.
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Security ID |
SubjectUserSid |
%1 |
Any |
SYSTEM
|
|
|
Account Name |
SubjectUserName |
%2 |
Any |
DC05$
|
|
|
Account Domain |
SubjectDomainName |
%3 |
Any |
MYDOMAIN
|
|
|
Logon ID |
SubjectLogonId |
%4 |
Any |
0x3e7
|
|
|
Object Server |
ObjectServer |
%5 |
Any |
LSA
|
|
|
Object Type |
ObjectType |
%6 |
Any |
Central Access Policies
|
|
|
CAPs Added |
AddedCAPs |
%7 |
Any |
Main Policy
|
|
|
CAPs Deleted |
DeletedCAPs |
%8 |
Any |
|
|
|
CAPs Modified |
ModifiedCAPs |
%9 |
Any |
|
|
|
CAPs As-Is |
AsIsCAPs |
%10 |
Any |
|
The account that changed the Central Access Policies on the machine. This event is typically triggered by the SYSTEM account
The name of the account that changed the Central Access Policies on the machine.
Security ID subject's domain or computer name.
Value is always "Central Access Policies"
The list of added Central Access Policies. Empty if no Central Access Policies were added.
The list of deleted Central Access Policies. Empty if no Central Access Policies were deleted.
The list of modified Central Access Policies. Empty if no Central Access Policies were modified.
The list of non-modified Central Access Policies. Empty if no additional Central Access Policies were unchanged.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Other Policy Change Events"
LEFT/RIGHT arrow keys for navigation
Back to List