Windows Security Log Event ID 4716
Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • Authentication Policy Change
Type Success
Corresponding events
in Windows 2003
and before
620  
Discussions on Event ID 4716
4716 Trusted Domain info was modified

4716: Trusted domain information was modified

On this page

This event is logged for modifications to trust relationships connecting to this domain. While the description says "Trusted" this event applies to both trusted and trusting relationships as documented by Trust Information.

Subject:

The ID and logon session of the user that excercised modified the trust.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Trusted Domain:

The other domain in this trust relationship which despite the word "Trusted" may be a trusting or trusted domain or both.  See Trust Information.

  • Domain Name: the DNS name of the domain
  • Domain ID: the pre-Win2k (NetBIOS) name of the domain

New Trust Information:

All the information that defines the type of trust after this change, whether it is one way or mutual, transitivity, etc.

  • Trust Type:  
    1 TRUST_TYPE_DOWNLEVEL The other domain is pre-Win2k (NTLM only supported)
    2 TRUST_TYPE_UPLEVEL The other domain is Win2k or later (Windows Kerberos supported)
    3 TRUST_TYPE_MIT Other domain is actually an MIT Kerberos Realm (probably UNIX)
    4 TRUST_TYPE_DCE The trusted domain is a DCE realm 
  • Trust Direction:
    Disabled 0x0
    Inbound 0x1
    Outbound 0x2
    Bidirectional 0x3 
  • Trust Attributes: A bitwise value compromised of any of the following
    • TRUST_ATTRIBUTE_NON_TRANSITIVE 1
    • TRUST_ATTRIBUTE_UPLEVEL_ONLY 2
    • TRUST_ATTRIBUTE_FILTER_SIDS 4
    • TRUST_ATTRIBUTE_FOREST_TRANSITIVE 8
  • SID Filtering:  Enabled (always enabled for domains within the same forest).  http://technet2.microsoft.com/windowsserver/en/library/01e5cf71-b317-4967-82a2-75b7b632b7461033.mspx?mfr=true

Top 10 Windows Security Events to Monitor

Trusted domain information was modified.

Subject: 

   Security ID:  ACME-FR\administrator
   Account Name:  administrator
   Account Domain:  ACME-FR
   Logon ID:  0x20f9d

Trusted Domain: 

   Domain Name:  -
   Domain ID:  ACME\

New Trust Information: 

   Trust Type:  2
   Trust Direction:  3
   Trust Attributes:  32
   SID Filtering:  -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this