Windows Security Log Event ID 4791

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Account Management
 • Application Group Management
Type Success
Corresponding events
in Windows 2003
and before
695  
Discussions on Event ID 4791
Ask a question about this event

4791: A basic application group was changed

On this page

The user in Subject: changed the LDAP Query group or Business Rule Application Group (BRAP) identified in Group:.

The event should actually say "An LDAP query group was changed" instead of basic application group.

This event also applies to Business Rule Application Groups

The other crazy thing about this event is that if you change the LDAP query of this group (arguably the most important property) Windows fails to log this event 4791.

Query and BRAP groups are part of Windows's role based access control for applications and are maintained in the Authorization Manager MMC snap-in.

This event does not report the common name (cn) of the group you are accustomed to seeing in Authorization Manager where application groups are maintained.  This is really bad because the account name reported in this event isn't displayed anywhere in Authorization Manager.  To find out the common name of the group look for the Directory Service Changes events immediately following this event which do report the common name.

Free Security Log Resources by Randy

Description Fields in 4791

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Group:

  • Security ID:  The SID of the affected group
  • Group Name: Name of affected group
  • Group Domain:  Domain of affected group

Attributes:

  • SAM Account Name: Pre-win2k name of affected group
  • SID History:  used when migrating legacy NT domains or merging domains.  Normally "-"

Additional Information:

  • Privileges:  always "-"

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4791

A basic application group was changed.

Subject:

   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x30999

Group:

   Security ID:  ACME\$M21000-VN43V7OM36S1
   Account Name:  $M21000-VN43V7OM36S1
   Account Domain:  ACME

Attributes:

   SAM Account Name: -
   SID History:  -

Additional Information:

   Privileges:  -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources