Windows Security Log Event ID 4705
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Policy Change • Authorization Policy Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
609
|
4705: A user right was removed
On this page
This event documents a change to user right assignments on this computer including the right and user or group that lost the right.
Note: "User rights" and "privileges" are synonymous terms used interchangeably in Windows.
Rights, like most other security settings, are defined in group policy objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself. To determine who actually made the rights assignment change you must search the domain controllers' security logs for changes to groupPolicyContainer objects (logged by Directory Service auditing).
Logon ID allows you to link this event to the prior event 4624 logon event of the user who performed this action.
Note: This event, 4705, and 4704 do not log changes to logon rights such as "Access this computer from the network" or "Logon as a service". See events 4714 and 4718.
Subject:
The ID and logon session of the user that revoked the right. Unfortunately this is just the local system account - see above.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Free Security Log Resources by Randy
Target Account:
The user or group that was lost the right. Account Name: name of user or group
New Right:
User Right: the name of the right revoked - See User Rights table in 4704
Supercharger Free Edition