This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 81%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
In my lab environment, I noticed that on weekend the user/group permission was revoked in few folder under D drive in windows server 2019. Is there any option or event id to find that who removed the access? is it manual or GPO or any? will it be remove by automatic?
I already checked the event id 4670 and below details found but it is not enough to confirm because there is no account id in it.
Permission on an object were changed.
Subject:
Security id: System
Object:
Obeject server: Security
Object Type: Token
Process:
Process Name: C:\windows\system32\svchost.exe