What exactly was changed in audit policy change log (Event ID 4719)

Question

What exactly was changed in audit policy change log (Event ID 4719)

Loeun Sokoeun 0

Currently we receive event log of Event ID 4719 Success Audit: System audit policy was changed. We seem to not able to find what was changed and who changed it by just checking the Event ID 4719.

Please kindly share what can we do to find what were changed from this event.

Thanks!

Anonymous

2023-08-21T07:24:06.74+00:00

Hello Loeun Sokoeun,

How are things going? I have not heard back from you in a few days and wanted to check on the status of your problem. Please let me know the results of your troubleshooting.

Your time is greatly appreciated.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Loeun Sokoeun 0 Reputation points

2023-08-22T04:13:43.5833333+00:00

Dear Daisy Zhou,

I did not test in a lab. I review log from production pcs.

I could see Object Access\File System or Object Access/Handle Manipulation in the log too and Account Name is computer name$. At this point I don't know what happened.

Regards,

Sokoeun

2 answers

Your answer

Anonymous

2023-08-21T07:24:06.74+00:00

Hello Loeun Sokoeun,

How are things going? I have not heard back from you in a few days and wanted to check on the status of your problem. Please let me know the results of your troubleshooting.

Your time is greatly appreciated.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Loeun Sokoeun 0 Reputation points

2023-08-22T04:13:43.5833333+00:00

Dear Daisy Zhou,

I did not test in a lab. I review log from production pcs.

I could see Object Access\File System or Object Access/Handle Manipulation in the log too and Account Name is computer name$. At this point I don't know what happened.

Regards,

Sokoeun

Answer 1

Anonymous

Hello Loeun Sokoeun,

Thank you for posting in our Q&A forum.

Event ID 4719 will generate after I changed any audit policy successfully.

For example, in my lab, I tested as below.

1.After I enabled one audit policy as below.
audit1

Then I run gpupdate /for, I will see the 14 events related to 4719.
Because the Audit object access contains 14 sub policy entries (we can see the number of 14 sub policy entries via Advanced Audit Policy).

Note: you can try to change any audit policy setting in test lab and check the event ID 4719.

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Loeun Sokoeun 0 Reputation points

2023-08-07T04:21:46.3133333+00:00

Dear @Daisy Zhou,

Your answer above is correct regarding the event id, however; for my case I need help to find out what was actually changed on my servers/pcs that make this event id generated. This kind of event is generating on servers and on recent turned-on pcs that usually were turn on/off every day. Could you help recommend what can I do to investigate this event id based on my environment? Should I open case and request Microsoft team to help investigate or should I request for support here?

Warm Regards,

Sokoeun
Anonymous

2023-08-07T05:26:23.3233333+00:00

Hello Loeun Sokoeun,

Thank you for your reply.
You can check as below:
1-I enabled Computer Configuration\Windows settings\security settings\local policies\audit policy\object access==> I checked success and failure

2.Run gpupdate /force command.
3.About one 4719, I will see 4719 with Object Access\FIle System (Success added and Failure added). You can check one of the 4719 in your case.

4.For who change the audit policy, I will see (System and computername$).

Best Regards,
Daisy Zhou
Loeun Sokoeun 0 Reputation points

2023-08-30T01:35:39.7966667+00:00

Hello @Daisy Zhou,

4.For who change the audit policy, I will see (System and computername$). For who change here may I know why it is not the username but computername$ instead?

Regards,

Sokoeun
Yehudi 0 Reputation points

2024-07-10T18:53:27.0366667+00:00

Hello Daisy Zhou, Loeun Sokoeun, did you manage to figure out why is computername$ showing instead of real username? Is there any option to get the user name? maybe in other event log?

Regards,

Yehudi

Answer 2

Hi Loeun Sokoeun,

To see exactly what change was made in the security audit policy, you can take the "SubcategoryGuid" field of the log. from where you can get the exact subcategory where the change was made.

With the command "auditpol /list /subcategory:* /v" you can see the GUID for each subcategory.

Auditpol

And with the number in the "AuditPolicyChanges" field you can see if the success/failure of that subcategory was activated/deactivated.

options for "AuditPolicyChanges":

%%8448 Success removed
%%8449 Success Added
%%8450 Failure removed
%%8451 Failure added

Even though it has been almost a year I hope it will be helpful to you and others who need it.

Best Regards.

Share via

What exactly was changed in audit policy change log (Event ID 4719)

2 answers

Your answer