Windows Security Log Event ID 4739

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Account Management
 • Other Account Management Events
Type Success
Corresponding events
in Windows 2003
and before
643  
Discussions on Event ID 4739
Event id 4739 not showing changed values
Subcategory that event generated under vs corresponding Audit Policy enabling

4739: Domain Policy was changed

On this page

This computer's Security Settings\Account Policy or Account Lockout Policy policy was modified - either via Local Security Policy or Group Policy in Active Directory.

There are few other operations that can generate this event, including:

  • Raising the domain functional level
  • Security option: "Network security: Force logoff when logon hours expire"


Unfortunately the Subject fields don't identify who actually changed the policy because this policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Change Type: usually filled in with a text explanation of the change

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Free Security Log Resources by Randy

Description Fields in 4739

Changes Made:

The new values are displayed for each policy that was changed. 

  • Min. Password Age:
  • Max. Password Age:
  • Force Logoff:  Security option: "Network security: Force logoff when logon hours expire"
  • Lockout Threshold:
  • Lockout Observation Window: in seconds
  • Lockout Duration: in seconds
  • Password Properties:
  • Min. Password Length:
  • Password History Length: "Enforce password history"
  • Machine Account Quota: The number of computer accounts that a user is allowed to create in a domain with the "Add workstation to domain" user right.
  • Mixed Domain Mode:
  • Domain Behavior Version:
  • Value of 0 =mixed level domain
  • Value of 1=Windows Server 2003 domain level
  • Value of 2=Windows Server 2003 domain level
  • OEM Information: not used. present for backward compatibility

Additional Information:

  • Privileges:  always "-"

 

Supercharger Free Edition

 

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4739

Domain Policy was changed.

Change Type:  Lockout Policy modified

Subject:

   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7

Domain:

   Domain Name:  WIN-R9H529RIO4Y
   Domain ID:  ACME\

Changed Attributes:

   Min. Password Age: -
   Max. Password Age: -
   Force Logoff:  -
   Lockout Threshold: 7
   Lockout Observation Window: 1800
   Lockout Duration: 1800
   Password Properties: -
   Min. Password Length: -
   Password History Length: -
   Machine Account Quota: -
   Mixed Domain Mode: -
   Domain Behavior Version: -
   OEM Information: -

Additional Information:

   Privileges:  -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources