Windows Security Log Event ID 4719
Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before
612  
Discussions on Event ID 4719
Domain Controllers logging success/failure added then success/failure removed

4719: System audit policy was changed

On this page

This computer's system level audit policy was modified - either via Local Security Policy, Group Policy in Active Directory or the audipol command.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

If group policy was used to configure audit policy unfortunately the Subject fields don't identify who actually changed the policy.  In such cases this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

If auditpol was used to configure audit policy will properly reflect the user in Subject:.

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.  

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Audit Policy Change:

Category:  

  • Account Logon
  • Account Management
  • Detailed Tracking
  • Directory Service
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System Events

Subcategory:

  • Security State Change
  • Security System Extension
  • System Integrity
  • IPsec Driver
  • Other System Events
  • Logon
  • Logoff
  • Account Lockout
  • IPsec Main Mode
  • Special Logon
  • IPsec Quick Mode
  • IPsec Extended Mode
  • Other Logon/Logoff Events
  • Network Policy Server
  • File System
  • Registry
  • Kernel Object
  • SAM
  • Other Object Access Events
  • Certification Services
  • Application Generated
  • Handle Manipulation
  • File Share
  • Filtering Platform Packet Drop
  • Filtering Platform Connection
  • Sensitive Privilege Use
  • Non Sensitive Privilege Use
  • Other Privilege Use Events
  • Process Creation
  • Process Termination
  • DPAPI Activity
  • RPC Events
  • Audit Policy Change
  • Authentication Policy Change
  • Authorization Policy Change
  • MPSSVC Rule-Level Policy Change
  • Filtering Platform Policy Change
  • Other Policy Change Events
  • User Account Management
  • Computer Account Management
  • Security Group Management
  • Distribution Group Management
  • Application Group Management
  • Other Account Management Events
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
  • Credential Validation
  • Kerberos Service Ticket Operations
  • Other Account Logon Events
  • Kerberos Authentication Service
  • Subcategory GUID: the globally unique identifier of the subcategory

Changes:

  • Failure added
  • Failure moved
  • Success added
  • Success removed

 

Subject:

  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Audit Policy Change:

  •  Category:  %5
  •  Subcategory:  %6
  •  Subcategory GUID: %7
  •  Changes:  %8

Top 10 Windows Security Events to Monitor

System audit policy was changed.

Subject:

   Security ID:  S-1-5-21-3108364787-189202583-342365621-500
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x169e9

Audit Policy Change:

   Category:  Logon/Logoff
   Subcategory:  Special Logon
   Subcategory GUID: {0CCE921B-69AE-11D9-BED3-505054503030}
   Changes:  Failure added

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



 

Additional Resources