ITsVISTA
Information that makes life easier when it comes to installing, managing, and using Windows Vista.
Start About FAQ Blogroll Shop

ITsVISTA KB-Link: KB2569339

Some security events do not log the name of the user account that makes Local Security Policy changes in Windows Server 2008 or in Windows Vista

On a computer that is running Windows Server 2008 or Windows Vista, some security events are added to the Security log after Local Security Policy settings are changed. These security events indicate that the SYSTEM account made these changes instead of a specific user account. Therefore, you do not know which user changed the settings.

Note: This issue occurs with security events 4704, 4717, 4719, and 4739.

The following are some sample security events in which the Security ID attribute contains the SYSTEM value:

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: <date & time> Event ID: 4739 Task Category: Other Account Management Events Level: Information Keywords: Audit Success User: N/A Computer: <computer name> Description: Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: SYSTEM Account Name: <computer name> Account Domain: WORKGROUP Logon ID: 0x3e7 Domain: Domain Name: <name> Domain ID: <name> Changed Attributes: Min. Password Age: 604800 Max. Password Age: 7948800 Force Logoff: - Lockout Threshold: - Lockout Observation Window: - Lockout Duration: - Password Properties: 0 Min. Password Length: 8 Password History Length: 13 Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: - Additional Information: Privileges: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: <date & time> Event ID: 4719 Task Category: Audit Policy Change Level: Information Keywords: Audit Success User: N/A Computer: <computer name> Description: System audit policy was changed. Subject: Security ID: SYSTEM Account Name: <computer name> Account Domain: WORKGROUP Logon ID: 0x3e7 Audit Policy Change: Category: Account Logon Subcategory: Credential Validation Subcategory GUID: {0cce923f-69ae-11d9-bed3-505054503030} Changes: Success Added Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: <date & time> Event ID: 4704 Task Category: Authorization Policy Change Level: Information Keywords: Audit Success User: N/A Computer: <computer name> Description: A user right was assigned. Subject: Security ID: SYSTEM Account Name: <computer name> Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Account Name: <account name> New Right: User Right: SeTcbPrivilege Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: <date & time> Event ID: 4717 Task Category: Authentication Policy Change Level: Information Keywords: Audit Success User: N/A Computer: <computer name> Description: System security access was granted to an account. Subject: Security ID: SYSTEM Account Name: <computer name> Account Domain: WORKGROUP Logon ID: 0x3e7 Account Modified: Account Name: <account name> Access Granted: Access Right: SeNetworkLogonRight

There is a download that resolves this issue. See Hotfixes for details.
32-bit Download: Contact Microsoft
64-Bit Download: Contact Microsoft

For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB2569339.

Get notified of new posts for FREE via RSS or E-mail

Subscribe to ITsVISTA!

Related Posts