4866 A trusted forest information entry was removed
Written when a trusted forest information entry is removed. Paired with addition 4865, it tracks changes to a forest trust’s accepted scope.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when a namespace/domain entry is removed from a forest trust.
How it is triggered
- When an accepted namespace entry is removed in a forest-trust configuration.
Security review points
- Removing an accepted scope is a configuration change that affects interoperability. Confirm whether it is legitimate cleanup or configuration alteration by an attacker.
- Together with trust addition 4865 and modification 4867, read the forest-trust configuration history.
Notes for log review
- It only carries meaning in forest-trust environments. It is a rare change.
- Record the removed entry and acting subject, and reconcile against change management.
Key fields
| Field | Meaning |
|---|---|
| Removed namespace/domain | The scope removed from acceptance |
Subject\Account Name | The subject that made the change |