Windows Security Log Event ID 4705

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Policy Change
 • Authorization Policy Change
Type Success
Corresponding events
in Windows 2003
and before
609  

4705: A user right was removed

On this page

This event documents a change to user right assignments on this computer including the right and user or group that lost the right.

Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows.

Rights, like most other security settings, are defined in group policy objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself. To determine who actually made the rights assignment change you must search the domain controllers' security logs for changes to groupPolicyContainer objects (logged by Directory Service auditing).

Logon ID allows you to link this event to the prior event 4624 logon event of the user who performed this action.

Note: This event, 4705, and 4704 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service". See events 4714 and 4718

Subject:

The ID and logon session of the user that revoked the right.  Unfortunately this is just the local system account - see above. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Free Security Log Resources by Randy

Description Fields in 4705

Target Account:

The user or group that was lost the right. Account Name: name of user or group

New Right:

User Right: the name of the right revoked - See User Rights table in 4704

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 4705

A user right was removed.

Subject:

   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7

Target Account:

   Account Name:  Everyone

Removed Right:

   User Right:  SeCreateTokenPrivilege

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources