I wanted to generate the Event ID: 4765 (SID History was added to an account.) & 4766. (An attempt to add SID History to an account failed)

Question

I wanted to generate the Event ID: 4765 (SID History was added to an account.) & 4766. (An attempt to add SID History to an account failed) in event viewer on Windows server 2019. Can someone share the proper way, how can I do this?

I have tried with below documents:
https://learn.microsoft.com/en-us/answers/questions/973114/how-can-i-add-permissions-to-sidhistory-attribute
https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Add-ADDBSidHistory.md
https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-sid-history-attribute

Answer 1

Hi yuvraj_088,

Thank you for posting in the Microsoft Community Forums.

You can enable auditing.

In the Group Policy Management Console, add the Edit Policy, navigate to:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policy > Object Access.

Ensure that Audit Other Object Access Events is enabled and select Success and Failure.

Best regards

Neuvi Jiang

Answer 2

Hi NeuviJ

Thank you for your reply, I have already done the changes as you mentioned in Group Policy Management Console. But I haven't received the event ID 4765 and 4766.

Answer 3

Hi yuvraj_088,

Have a nice day!

Event logs need to be received after the event has occurred. Turning on auditing is just to ensure that there is a place to view the event details later when the time occurs. If auditing has not been turned on before, you will not be able to check the details of events that have occurred before.

Best regards

Neuvi Jiang

Answer 4

Hello NeuviJ

Thank you for the update, What activity should I perform to generate event IDs 4765, 4766 and 5124 in the event viewer?

I am using Windows server 2019 standard evaluation for this task.