Event ID: 4912

Per User Audit Policy was changed 

Per User Audit Policy was changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Policy For Account:
    Security ID:        %5

Policy Change Details:
    Category:           %6
    Subcategory:        %7
    Subcategory GUID:   %8
    Changes:            %9


Auditing:     Always

This event is always logged regardless of the "Audit Policy Change" sub-category setting.


Volume:     Low


Microsoft Documentation

Event ID - 4912



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\TheAdmin
Account Name SubjectUserName %2 Any TheAdmin
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x11ae30
Security ID TargetUserSid %5 Any DOMAIN\SomeUser
Category CategoryId %6 Any Detailed Tracking
Subcategory SubcategoryId %7 Any Audit DPAPI Activity
Subcategory GUID SubcategoryGuid %8 Any {0CCE922D-69AE-11D9-BED3-505054503030}
Changes AuditPolicyChanges %9 Any Success include added

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Audit Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Tags:
Audit Success
Audit Category:
Policy Change

Audit Subcategory:
Audit Policy Change
Legacy Events:
807

LEFT/RIGHT arrow keys for navigation

Back to List