4766 An attempt to add SID History to an account failed
Written when adding SID History to an account fails. Paired with the success version 4765, it captures attempts at SID History operations.
Overview
The subcategory is Audit User Account Management. It is generated when a SID addition to sIDHistory fails. It appears on failures due to duplication, conflict, insufficient privilege, and so on.
How it is triggered
- When a SID History addition by a migration tool or manual operation fails for some reason.
Security review points
- It lacks the direct impact of success 4765, but it can be a trace of an attempt to inject SID History. It may indicate attacker trial and error, so monitor it together with the success version.
- If 4766 appears with no migration plan, suspect an illicit SID History attempt and investigate the source.
Notes for log review
- It is normally rare. Do not ignore it because it is a failure; record and check it as the fact that someone tried to touch SID History.
- Together with 4765, track all SID History-related operations.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The target account |
Subject\Account Name | The subject that attempted the operation |