Domain Policy was changed
On this page
This computer's Security Settings\Account Policy or Account Lockout Policy policy was modified - either via Local Security Policy or Group Policy in Active Directory.
There are few other operations that can generate this event, including:
- Raising the domain functional level
- Security option: "Network security: Force logoff when logon hours expire"
Unfortunately the Subject fields don't identify who actually changed the policy because this policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
Change Type: usually filled in with a text explanation of the change
The ID and logon session of the user that changed the policy - always the local system - see note above.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
The new values are displayed for each policy that was changed.
- Min. Password Age:
- Max. Password Age:
- Force Logoff: Security option: "Network security: Force logoff when logon hours expire"
- Lockout Threshold:
- Lockout Observation Window: in seconds
- Lockout Duration: in seconds
- Password Properties:
- Min. Password Length:
- Password History Length: "Enforce password history"
- Machine Account Quota: The number of computer accounts that a user is allowed to create in a domain with the "Add workstation to domain" user right.
- Mixed Domain Mode:
- Domain Behavior Version:
- Value of 0 =mixed level domain
- Value of 1=Windows Server 2003 domain level
- Value of 2=Windows Server 2003 domain level
- OEM Information: not used. present for backward compatibility
Top 10 Windows Security Events to Monitor
Domain Policy was changed.
Change Type: Lockout Policy modified
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Domain Name: WIN-R9H529RIO4Y
Domain ID: ACME\
Min. Password Age: -
Max. Password Age: -
Force Logoff: -
Lockout Threshold: 7
Lockout Observation Window: 1800
Lockout Duration: 1800
Password Properties: -
Min. Password Length: -
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: -
Keep me up-to-date on the Windows Security Log.
*We will NOT share this