Home / server / Questions / 1145839
Accepted
John Siu
Asked: 2023-10-14 02:00:12 +0800 CST

Windows event id 4735 but no info?

  • 772

We get a lot of event id 4735 like following:

Subject:
    Security ID:        SYSTEM
    Account Name:       xxx$
    Account Domain:     xxx
    Logon ID:       0x3E7

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:     Administrators
    Group Domain:       Builtin

Changed Attributes:
    SAM Account Name:   -
    SID History:        -

Additional Information:
    Privileges:     -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{xxx}" />
    <EventID>4735</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2023-10-13T16:56:50.930730000Z" />
    <EventRecordID>113144987</EventRecordID>
    <Correlation ActivityID="{xxx}" />
    <Execution ProcessID="840" ThreadID="10404" />
    <Channel>Security</Channel>
    <Computer>xxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-xxx</Data>
    <Data Name="SubjectUserSid">S-xxx</Data>
    <Data Name="SubjectUserName">xxx$</Data>
    <Data Name="SubjectDomainName">xxx</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="SamAccountName">-</Data>
    <Data Name="SidHistory">-</Data>
  </EventData>
</Event>

According to doc, "This event is logged on domain controllers for Active Directory domain local groups to change the Security Local group identified in Group." However, it does not seems contain information about what was changed. "PrivilegeList", "SamAccountName", "SidHistory" are all "-"

We are seeing this in both DC and member servers.

Anyone has clue?

windows

2 Answers

  1. Best Answer

    If this is occurring on domain groups, you can enable Directory Service Change Auditing. This needs to be enabled in the Domain Controller Group Policy, and on the objects to audit (top level of Domain and Sites and Services objects).

    A 5136 event will be recorded in the security event log for modifications, and include the previous and new values.

    Note that sidHistory is a multivalued attribute. It is also protected, and is typically changed in a special system operation. Note that this is ideally not present, unless there has been a migration from one domain to another, which is typically the only time sidHistory is updated.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731764(v=ws.10)

    https://learn.microsoft.com/en-us/windows/win32/ad/using-dsaddsidhistory

    • 1

  2. I believe the '-' is intended behavior. "Changed Attributes: Note If attribute was not changed it will have “-“ value. " as noted here https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735 .

    Also,

    "From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or you will see that something changed, but will not be able to see what exactly changed. "

    There may be another event you can use. I'd check your current audit policy and see if this 4735 correlates to any other events.

    • 0