Windows Security Log Event ID 4866
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Policy Change • Authentication Policy Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
4866: A trusted forest information entry was removed
On this page
This event is logged cross-forest trust relationships are deleted or modified. You will get several of these events per trust.
Windows stores trust relationships as Trusted Domain Objects (see events 4706, 4707, 4716) but cross-forest trusts require extra information stored in several entries in the TDO's Forest Trust Information attribute (aka FTInfo). FTInfo includes the all namespaces that a trusted forest manages, with other fields that indicate whether each claim is actually trusted by the trusting (this) forest.
This event, 4865, documents deletion of each of such entries. You can link all the entries created at one time by the Operation ID:.
Not all elements are filled in for each entry type.
Free Security Log Resources by Randy
Subject:
The ID and logon session of the user that deleted the entry.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Trust Information:
The elements in the Forest Trust Information entry.
- Forest Root: The DNS name of the forest root domain of the other forest in this trust relationship.
- Forest Root SID: The SID of the Forest Root: - usually translated to the pre-Win2k domain name.
- Operation ID: allows you to correlate all the events that are part of this operation
- Entry Type:
0 |
ForestTrustTopLevelName |
This record identifies a domain (Top Level Name below) of the trusted forest that this forest trusts. |
1 |
ForestTrustTopLevelNameEx |
This record identifies a domain (Top Level Name below) of the trusted forest that this forest does not trust (excluded) |
2 |
ForestTrustDomainInfo |
This record contains an LSA_FOREST_TRUST_DOMAIN_INFO structure which includes
|
- Flags: seems to always be 0
- Top Level Name: The domain that is trusted or untrusted (excluded) see Entry Types 0 and 1 above.
- DNS Name: see see LSA_FOREST_TRUST_DOMAIN_INFO above
- NetBIOS Name: see LSA_FOREST_TRUST_DOMAIN_INFO above
- Domain SID: see LSA_FOREST_TRUST_DOMAIN_INFO above
Supercharger Free Edition
A trusted forest information entry was removed.
Subject:
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Trust Information:
Forest Root: mtg.local
Forest Root SID: MTG\
Operation ID: 0x36d49c
Entry Type: 1
Flags: 0
Top Level Name: junk.mtg.local
DNS Name: -
NetBIOS Name: -
Domain SID: NULL SID
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection