4739 Domain Policy was changed
Written when the local computer security policy (account lockout policy or password policy) is changed. It captures setting changes that bear directly on authentication robustness.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when one of the following changes:
- Account lockout policy (threshold, lockout duration, and so on)
- Password policy (minimum length, complexity, maximum age, history, and so on)
How it is triggered
- A change to account/password policy via Group Policy or Local Security Policy.
Security review points
- Weakening the password policy (lowering minimum length, disabling complexity, and so on) raises the success rate of brute force 4625. Be wary, as an attacker may loosen the policy after a breach.
- Raising or disabling the lockout threshold makes brute force harder to detect or block. Together with lockout 4740, monitor the state of authentication defenses.
Notes for log review
- It is a rare change. If unplanned, it is a high-priority event to always investigate.
- Check the changed policy item and direction (hardening/weakening), and focus on weakening changes.
Key fields
| Field | Meaning |
|---|---|
| Changed policy settings | The values of the password/lockout policy |
Subject\Account Name | The subject that made the change |