Event ID 4912 - Per User Audit Policy was changed

Event ID: 4912

Per User Audit Policy was changed

Per User Audit Policy was changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Policy For Account:
    Security ID:        %5

Policy Change Details:
    Category:           %6
    Subcategory:        %7
    Subcategory GUID:   %8
    Changes:            %9

Microsoft Documentation

Event ID - 4912

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Audit Policy Change"

How to enable Windows Auditing

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Audit Category:

Policy Change

Audit Subcategory:

Audit Policy Change

Legacy Events:

807

LEFT/RIGHT arrow keys for navigation

Back to List