ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs on a cybersecurity monitoring dashboard
Event ID 4675InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4675 – Microsoft-Windows-Security-Auditing: User Account Logon Rights Assignment

Event ID 4675 records when user account logon rights are assigned or removed, typically during group policy application or manual security policy changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4675Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4675 represents a fundamental security auditing mechanism within Windows that tracks modifications to user rights assignments. When Windows processes security policy changes—whether through Group Policy refresh cycles, manual Local Security Policy modifications, or programmatic security descriptor updates—this event captures the specific rights being granted or revoked.

The event structure includes several critical fields: the target account receiving or losing rights, the specific privilege being modified (such as SeServiceLogonRight or SeRemoteInteractiveLogonRight), the process responsible for the change, and the security identifier of the initiating principal. This granular detail enables administrators to trace privilege modifications back to their source.

In domain environments, Event ID 4675 frequently appears during Group Policy processing cycles, typically every 90-120 minutes on workstations and every 5 minutes on domain controllers. The event helps distinguish between expected policy-driven changes and potentially malicious privilege escalation attempts. Modern Windows versions in 2026 have enhanced this event with additional context fields that improve forensic analysis capabilities.

The timing and frequency of these events can indicate system health issues, such as Group Policy processing failures or authentication problems. Security Information and Event Management (SIEM) systems often correlate Event ID 4675 with other security events to detect privilege escalation patterns and unauthorized access attempts.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Group Policy processing applying user rights assignments from domain or local policies
  • Manual modification of Local Security Policy through secpol.msc or Group Policy Editor
  • Service installation or configuration changes that require specific logon rights
  • Administrative tools modifying user account privileges programmatically
  • Security template application through secedit.exe or similar utilities
  • Windows Update or system maintenance operations adjusting service account rights
  • Third-party software installation requiring elevated privileges or service rights
  • PowerShell scripts or automation tools modifying security policies
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4675 to understand what rights were modified and for which account.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4675 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4675 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4675 entries to examine the details
  6. Review the General tab for the account name, privilege name, and process information
  7. Check the Details tab for additional XML data including Security ID and process details

Key fields to examine include the Subject Security ID (who initiated the change), Target Account (which account was modified), and Privileges (which specific rights were assigned or removed).

02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4675 occurrences across specific time periods.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4675 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events for a specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        PrivilegeName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675} -MaxEvents 100 | Export-Csv -Path "C:\Temp\Event4675_Analysis.csv" -NoTypeInformation
03

Analyze Group Policy Processing

Investigate whether Event ID 4675 occurrences correlate with Group Policy processing cycles, which is the most common legitimate cause.

  1. Check Group Policy processing events in the System log:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} -MaxEvents 20
  2. Review Group Policy operational logs:
    Get-WinEvent -LogName 'Microsoft-Windows-GroupPolicy/Operational' -MaxEvents 50 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-2)}
  3. Open Group Policy Management Console (gpmc.msc) to review applied policies
  4. Navigate to the target computer or user object and check Group Policy Results
  5. Run Group Policy refresh to test if Event ID 4675 appears:
    gpupdate /force
  6. Monitor the Security log during Group Policy processing:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675; StartTime=(Get-Date).AddMinutes(-5)} | Format-Table TimeCreated, Message -Wrap
  7. Verify current user rights assignments:
    secedit /export /cfg C:\Temp\current_security_policy.inf
notepad C:\Temp\current_security_policy.inf
Pro tip: Group Policy processing typically generates multiple Event ID 4675 entries as it applies various user rights assignments. This is normal behavior in domain environments.
04

Investigate Service Account Changes

Examine whether Event ID 4675 relates to service account privilege modifications, which often occur during software installation or service configuration.

  1. Check recent service installations and modifications:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=7034,7035,7036,7040} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  2. Review services that run under specific accounts:
    Get-WmiObject Win32_Service | Where-Object {$_.StartName -ne 'LocalSystem' -and $_.StartName -ne 'NT AUTHORITY\LocalService' -and $_.StartName -ne 'NT AUTHORITY\NetworkService'} | Select-Object Name, StartName, State
  3. Examine Windows Installer logs for service-related installations:
    Get-WinEvent -LogName 'Application' | Where-Object {$_.ProviderName -eq 'MsiInstaller' -and $_.TimeCreated -gt (Get-Date).AddDays(-1)} | Format-Table TimeCreated, Message -Wrap
  4. Check for recent software installations in Programs and Features:
    Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Application'} | Where-Object {$_.Message -like '*install*' -and $_.TimeCreated -gt (Get-Date).AddDays(-1)}
  5. Review the Local Security Policy for service logon rights:
    Open Local Security Policy (secpol.msc) → Local PoliciesUser Rights AssignmentLog on as a service
  6. Correlate service changes with Event ID 4675 timing:
    $ServiceEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7034,7035,7036} -MaxEvents 20
$SecurityEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675} -MaxEvents 20
Compare-Object $ServiceEvents.TimeCreated $SecurityEvents.TimeCreated -IncludeEqual
05

Advanced Forensic Analysis and Monitoring

Implement comprehensive monitoring and forensic analysis to detect unauthorized privilege modifications and establish baseline behavior patterns.

  1. Create a PowerShell monitoring script for continuous Event ID 4675 tracking:
    # Save as Monitor-Event4675.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
while ($true) {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675; StartTime=$LastCheck}
    foreach ($Event in $Events) {
        $EventXML = [xml]$Event.ToXml()
        $SubjectUser = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        $TargetUser = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        $Privilege = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'}).'#text'
        
        Write-Host "[$(Get-Date)] Event ID 4675 - Subject: $SubjectUser, Target: $TargetUser, Privilege: $Privilege" -ForegroundColor Yellow
    }
    $LastCheck = Get-Date
    Start-Sleep -Seconds 300
}
  2. Set up Windows Event Forwarding for centralized monitoring:
    Configure Event Collector service: wecutil qc
    Create custom subscription for Event ID 4675
  3. Implement registry monitoring for security policy changes:
    $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
Get-ItemProperty -Path $RegPath | Format-List
  4. Create baseline documentation of normal Event ID 4675 patterns:
    # Generate baseline report
$BaselineEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675} -MaxEvents 200
$BaselineEvents | Group-Object {($_.Message -split '\n')[0]} | Sort-Object Count -Descending | Format-Table Name, Count -Wrap
  5. Configure Windows Event Log size and retention for adequate forensic coverage:
    wevtutil sl Security /ms:1073741824  # Set Security log to 1GB
wevtutil sl Security /rt:false       # Disable log overwrite
  6. Integrate with SIEM or log analysis tools using WinLogBeat or similar agents
  7. Set up automated alerting for suspicious patterns:
    # Alert on Event ID 4675 outside business hours
$CurrentHour = (Get-Date).Hour
if ($CurrentHour -lt 8 -or $CurrentHour -gt 18) {
    $RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4675; StartTime=(Get-Date).AddMinutes(-10)}
    if ($RecentEvents.Count -gt 0) {
        # Send alert - implement your notification method
        Write-Warning "Suspicious Event ID 4675 activity detected outside business hours"
    }
}
Warning: Excessive Event ID 4675 logging can impact system performance. Monitor log sizes and implement appropriate retention policies.

Overview

Event ID 4675 fires when Windows assigns or removes user account logon rights through the Local Security Authority (LSA). This event appears in the Security log whenever the system modifies user rights assignments, commonly triggered during Group Policy processing, manual security policy changes, or administrative privilege modifications.

The event captures critical security policy changes that affect who can log on to systems and how. It records both the assignment and removal of logon rights such as 'Log on as a service', 'Log on locally', 'Log on through Remote Desktop Services', and other user rights assignments defined in Local Security Policy.

This audit event becomes particularly valuable in environments where compliance requires tracking privilege escalation and access control modifications. Security teams rely on Event ID 4675 to monitor unauthorized privilege changes and maintain audit trails for regulatory compliance. The event provides detailed information about which rights were modified, for which accounts, and by which process or user initiated the change.

Frequently Asked Questions

What does Event ID 4675 mean and when should I be concerned?+
Event ID 4675 indicates that user account logon rights have been assigned or removed on the system. This is typically normal behavior during Group Policy processing, service installations, or administrative security policy changes. You should be concerned if these events occur outside normal business hours, affect critical service accounts without corresponding change management, or happen frequently without clear administrative cause. The event itself is informational, but patterns of unexpected privilege modifications can indicate security issues or unauthorized access attempts.
How can I distinguish between legitimate Group Policy changes and potential security threats in Event ID 4675?+
Legitimate Group Policy-driven Event ID 4675 entries typically occur in clusters during scheduled Group Policy refresh cycles (every 90-120 minutes for workstations, every 5 minutes for domain controllers). They usually involve system accounts like 'SYSTEM' or 'NETWORK SERVICE' as the subject, and the timing correlates with Group Policy processing events (Event IDs 1502, 1503) in the System log. Suspicious events might show user accounts making privilege changes outside normal hours, modifications to sensitive service accounts, or privilege escalations that don't align with approved change management processes.
Why am I seeing multiple Event ID 4675 entries in rapid succession?+
Multiple rapid Event ID 4675 entries are common during Group Policy processing, software installations, or system updates. Each user rights assignment generates a separate event, so applying a comprehensive Group Policy or installing software that configures multiple services can create dozens of these events within minutes. This is normal behavior. However, if you see continuous streams of these events without corresponding administrative activity, it might indicate a malfunctioning service, stuck Group Policy processing, or potentially malicious automated privilege modification attempts.
Can Event ID 4675 help me track who made unauthorized privilege changes?+
Yes, Event ID 4675 contains the Subject Security ID and Subject User Name fields that identify who or what initiated the privilege change. However, many legitimate changes are made by system processes (SYSTEM account) during automated operations. For user-initiated changes, the event will show the actual user account. To effectively track unauthorized changes, correlate Event ID 4675 with logon events (4624, 4625), privilege use events (4672, 4673), and process creation events (4688) to build a complete picture of administrative activity and identify potentially unauthorized privilege modifications.
How should I configure auditing and retention for Event ID 4675 in a compliance environment?+
For compliance environments, enable Object Access auditing and User Rights Assignment auditing through Group Policy under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Privilege Use. Set the Security event log to at least 1GB with archival rather than overwrite to ensure adequate retention. Consider forwarding Event ID 4675 to a centralized SIEM system for long-term storage and correlation analysis. Document baseline patterns of normal Event ID 4675 activity to distinguish between routine operations and potential security incidents. Implement automated monitoring for events occurring outside normal business hours or involving sensitive service accounts.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4675 and related privilege assignment events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies to capture user rights assignment events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4675#security-auditing#user-rights

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...