Windows Security Log Event ID 620

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4716  

620: Trusted Domain Information Modified

On this page

This event varies depending on the OS.

Win2000

It appears this event only gets logged upon trust additions, not removals. A better set of events to use are 610 and 611. The DC logs this event for both new trusted and trusting domains. There is no way to make a distinction.

Win2003

Logged when an existing trust's properties are modified. For instance, turning on transitivity. Applies to trusted and trusting trust relationships.
See also event IDs 610 and 611.

Free Security Log Resources by Randy

Description Fields in 620

  • Trusted Domain Information Modified:
  • Domain Name: %1
  • Domain ID: %2
  • Modified By:
  • User Name: %3
  • Domain:  %4
  • Logon ID: %5

     Windows Server 2003 adds the following:

  • Trust Type: %6
  • Trust Direction: %7
  • Trust Attributes: %8
  • SID Filtering: %9

 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 620

Win2000

Trusted Domain Information Modified:
Domain Name:Europe
Domain ID:-
Modified By:
User Name:administrator
Domain:ELMW2
Logon ID:(0x0,0x804C2)

Win2003

Trusted Domain Information Modified:
Domain Name: -
Domain ID: -
Modified By:
User Name: administrator
Domain: ELM
Logon ID: (0x0,0x1281A)
Trust Type: -
Trust Direction: -
Trust Attributes: 0
SID Filtering: Disabled

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources