urlscan.io logo urlscan.io
SecurityTrails logo

community.spiceworks.com Open in urlscan Pro
45.60.13.212  Public Scan

Back to summary
URL: https://community.spiceworks.com/topic/1946834-event-id-4719-audit-policy-was-changed
Submission: On July 23 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form>
  <i class="1690085109025 mag-glass"></i>
  <input class="1690085109025 search-input" autocomplete="off" placeholder="Search Spiceworks">
  <i class="clean-icon"></i>
  <div class="1690085109025 trending-topics"></div>
  <div class="1690085109025 search-box-results"></div>
</form>

Text Content

Home
 * News & Insights
   * News & Insights Home
   * Artificial Intelligence
   * Innovation
   * IT Careers & Skills
   * Cloud
   * Cyber Security
   * Future of Work
   * All Categories
   * Marketing
   * HR
   * Finance
 * Community
   * Ask question
   * Community Home
   * Spiceworks Originals
   * Cloud
   * Collaboration
   * Networking
   * Water Cooler
   * Windows
   * All forums
   * How-Tos
   * Scripts
   * Vendors
   * Meetups
 * Reviews
 * Online Events


Login Join
Login Join


 * Home
 * Windows
 * Windows Server


EVENT ID 4719 AUDIT POLICY WAS CHANGED

Posted by JimmyJon on Dec 6th, 2016 at 2:02 PM
Windows Server

Hello,

I am checking the security log and seeing a bunch of event ID 4719 (System
Policy Change) that generated by AD itself around 9:20PM. At that time no one
should be around in the company. Is that normal?

System audit policy was changed.

Subject:
  Security ID:   SYSTEM
  Account Name:    domain-AD$
  Account Domain:    domain
  Logon ID:   0x3E7

Audit Policy Change:
  Category:   Account Logon
  Subcategory:   Other Account Logon Events
  Subcategory GUID: {0cce9241-69ae-11d9-bed3-505054503030}
  Changes:   Success Added, Failure added


Thank you.

 * local_offer Tagged Items
 * Windows Server 2012star4.3

Spice (5) Reply (7)
flagReport
JimmyJon
sonora

ENTER TO WIN A YETI CROSSOVER BACKPACK

Contest ends Aug 4, 2023 Contests Answer a question in a reply below, and be in
the running to win! Contest Details View all contests



7 REPLIES

 * Tim Lovegrove
   serrano
   Dec 6th, 2016 at 2:23 PM
   
   It depends what the GPO refresh rate is. It's perfectly possible that someone
   changed the audit settings during office hours, but they are only being
   applied 3, 4, 5, whatever hours later. GPO refresh can be adjusted to
   increase or decrease the regularity with which a machine checks and refreshes
   the applied GPOs.
   
   That said, it's definitely suspicious and should be followed up on. If no
   changes were made to Group Policy then you need to know what caused the
   change.
   
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down
 * 1101
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   chipotle
   Dec 6th, 2016 at 2:27 PM
   
   It sounds like a conflict of policies....
   
   Have a look
   at https://social.technet.microsoft.com/Forums/windowsserver/en-US/ebcd93c6-4803-4770-a680-d58cbaa13b33/how-to-stop-event-4719?forum=winserversecurity
   Opens a new window
   
   
   
   Using both advanced and basic audit policy settings can cause unexpected
   results. If you use Advanced Audit Policy Configuration settings or use logon
   scripts (for computers running Windows Vista or Windows Server 2008) to apply
   advanced audit policy, be sure to enable the Audit: Force audit policy
   subcategory settings (Windows Vista or later) to override audit policy
   category settings policy setting under Local Policies\Security Options. This
   will prevent conflicts between similar settings by forcing basic security
   auditing to be ignored.
   
   For more information, please refer to:
   
   Advanced Security Auditing FAQ
   http://technet.microsoft.com/en-us/library/ff182311(WS.10).aspx Opens a new
   window
   
   Advanced Security Auditing in Windows 7 and Windows Server 2008 R2
   http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-a...
   Opens a new window
   
   
   
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down
 * Michael (Netwrix)
   
   Brand Representative for Netwrix
   
   ghost chili
   Dec 6th, 2016 at 2:45 PM
   You can try Netwrix Auditor for Active Directory Opens a new window to get
   clear, easy to understand information about issue.  
    * local_offer Tagged Items
    * Netwrix Auditor 9star4.4
   
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down
 * OP JimmyJon
   sonora
   Dec 6th, 2016 at 2:49 PM
   
   Thank you for replying. We have set the refresh rate is 5 mins and 30 mins as
   a random time in Group Policy so at 9:20PM, there must be some activities
   were going on to trigger the event. (Company is closed at 5pm)
   
   flagReport
   Was this post helpful? thumb_up thumb_down
 * OP JimmyJon
   sonora
   Dec 6th, 2016 at 2:54 PM
   
   We only utilize the basic audit policy so I'm sure this is not the case. 
   
   @Michael: I will try the tool. Seems it's a good reference.
   
   Spice (1) flagReport
   Was this post helpful? thumb_up thumb_down
 * Rupesh (Lepide)
   This person is a verified professional.
   Verify your account to enable IT peers to see that you are a professional.
   
   Brand Representative for Lepide
   
   ghost chili
   Dec 7th, 2016 at 10:45 AM
   
   You may check this articles, related to 4719(S): System audit policy was
   changed:
   https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4719
   Opens a new window
   
   
   Additionally, you can also try Lepide Auditor for Active Directory Opens a
   new window to get complete visibility of what is going on in your
   organization.
   
    * local_offer Tagged Items
    * Lepide Data Security Platformstar4.1
   
   flagReport
   Was this post helpful? thumb_up thumb_down
 * Deepak-Kumar-Ambala
   New contributor pimiento
   Oct 9th, 2018 at 10:56 AM
   
   Please make sure enable the "audit force policy enabled .
   
   Enable Subcategory Override
   
   Audit: Force audit policy subcategory settings (Windows Vista or later) to
   override audit policy category settings: Enable
   
   Computer Configuration\Policies\Windows Settings\Security Settings\Local
   Policies\Security Options
   
   Regards: Deepak Kumar (Technical Specialist)
   flagReport
   Was this post helpful? thumb_up thumb_down

lock

This topic has been locked by an administrator and is no longer open for
commenting.

To continue this discussion, please ask a new question.




READ THESE NEXT...


 * REBUILDING MY HOME INTERNET
   
   Networking
   
   Morning Spiceworks community!So, to keep this short and sweet, I'm looking to
   upgrade my entire home internet to better handle my lab I plan to build in
   the near future. To do so, I need to really overhaul the default Verizon
   setup (Verizon demarc box con...

 * 


 * FOLDER REDIRECTION BROKEN OUT OF THE BLUE
   
   Windows
   
   I have a client that I just took on. Mind you, I've never been keen on folder
   redirection and the move towards the cloud has probably helped keep that weak
   spot covered.This broke in May, but there have been no changes to group
   policy since then, until no...


 * SNAP! -- ORBIT SHARING, MOON GOLF, WORLD'S FASTEST SUPERCOMPUTER, RAIN POWER
   
   Spiceworks Originals
   
   Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: July
   21, 1955: USS Seawolf launched, 1st submarine powered by liquid metal cooled
   nuclear reactor (Read more HERE.) Bonus Flashback: July 21, 1914: Seth
   Nicholson Dis...


 * MONITORING AN EMPLOYEE'S GMAIL? POSSIBLE EMAILING OFF COMPANY DATA OFFSITE...
   
   Cloud Computing & SaaS
   
   Hi all,I'm IT Director with a firm of about 100 people. Top management
   suspect a disgruntled employee might be sending company information offsite,
   by forwarding emails to their personal account.Is there anyway to monitor
   outbound emails on someone's Gmai...


 * EMAIL FROM 2018 SHOWED UP TODAY
   
   Cloud Computing & SaaS
   
   user called, said they received an email from another user, but it was dated
   from 2018.had them forward me the email as an attachment, ran header info
   from the email on 365 message header analyzer, and yeah, it came from that
   user, from 2018.  all dates i...

 * About
 * Contact
 * Support
 * Press / Media
 * Careers
 * SpiceWorld
 * Blog
 * * 
   * 
   * 
   * 

 * Sitemap
 * Privacy Policy
 * Terms of Use
 * Guidelines
 * Accessibility Statement
 * Do Not Sell My Personal Information
 * © Copyright 2006 - 2023 Spiceworks Inc.






WE CARE ABOUT YOUR PRIVACY

If you consent, we and our partners can store and access personal information on
your device to provide a more personalised browsing experience. This is
accomplished through processing personal data collected from browsing data
stored in cookies. You can provide/withdraw consent and object to processing
based on a legitimate interest at any time by clicking on the ‘Manage
Preferences’ button.Our Privacy Policy


WE AND OUR PARTNERS PROCESS DATA TO:

Store and/or access information on a device. Personalised ads and content, ad
and content measurement, audience insights and product development. Our Partners

Reject All I Accept
More Options