Windows EventInformation
Windows Event ID 4794 – Security: An Attempt Was Made to Set the Directory Services Restore Mode Administrator Password
Event ID 4794 fires when someone attempts to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This security event tracks critical DSRM password modifications.
