Windows Security Log Event ID 4715
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Policy Change
• Audit Policy Change |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
|
4715: The audit policy (SACL) on an object was changed
On this page
The description is poorly worded but this event is logged whenever you set the security descriptor used to delegate access to the audit policy. You can delegate authority to the system's audit policy using "auditpol /sd:".
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Audit Policy Change
Setup PowerShell Audit Log Forwarding in 4 Minutes
The audit policy (SACL) on an object was changed.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x4bfd71
Audit Policy Change:
Original Security Descriptor: D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)
New Security Descriptor: D:(A;;DCSWRPDTRC;;;BA(A;;DCSWRPDTRC;;;SY)S:NO_ACCESS_CONTROL
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection