Windows Security Log Event ID 4792
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Account Management • Application Group Management |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
696
|
4792: An LDAP query group was deleted
On this page
This event also applies to Business Rule Application Groups.
The user in Subject: deleted the LDAP Query group or Business Rule Application Group (BRAP) identified in Group:.
Query and BRAP groups are part of Windows's role based access control for applications and are maintained in the Authorization Manager MMC snap-in.
This event does not report the common name (cn) of the group you are accustomed to seeing in Authorization Manager where application groups are maintained. This is really bad because the account name reported in this event isn't displayed anywhere in Authorization Manager. To find out the common name of the group look for the Directory Service Changes events immediately following this event which do report the common name.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Group:
- Security ID: The SID of the affected group
- Group Name: Name of affected group
- Group Domain: Domain of affected group
Attributes:
- SAM Account Name: Pre-win2k name of affected group
- SID History: used when migrating legacy NT domains or merging domains. Normally "-"
Additional Information:
Supercharger Enterprise