ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with security audit logs and privilege assignment analysis
Event ID 4704InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4704 – Microsoft-Windows-Security-Auditing: User Right Assigned

Event ID 4704 logs when a user right is assigned to a security principal through Group Policy or local security policy changes. Critical for security auditing and compliance monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4704Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4704 represents a fundamental component of Windows security auditing infrastructure, specifically designed to track user rights assignments across Windows environments. When Windows processes security policies—whether through Group Policy refresh, local policy changes, or administrative modifications—this event provides granular visibility into privilege distribution.

The event structure includes critical fields such as the target security principal (Subject), the specific user right being assigned (Privilege Name), and the process responsible for the assignment. Windows generates this event during various scenarios: startup Group Policy processing, scheduled policy refresh cycles, manual Local Security Policy modifications, and domain controller policy replication.

From a security perspective, Event ID 4704 serves multiple purposes. Compliance frameworks like SOX, PCI-DSS, and HIPAA require organizations to maintain audit trails of privilege assignments. Security operations centers monitor these events to detect privilege escalation attempts, unauthorized administrative access grants, and policy drift scenarios where systems deviate from intended security baselines.

The event's timing correlation with other security events often reveals attack patterns. For instance, Event ID 4704 followed by logon events (4624) and privilege use events (4672) can indicate successful privilege escalation chains. Advanced persistent threat groups frequently manipulate user rights assignments as part of their persistence and lateral movement strategies.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Group Policy refresh cycles processing security policy settings
  • Manual modifications to Local Security Policy through secpol.msc
  • Domain controller replication of security policy changes
  • Administrative tools like secedit.exe applying security templates
  • PowerShell commands using Set-LocalUser or Grant-UserRight cmdlets
  • Third-party security management tools modifying user rights
  • System startup processing of cached Group Policy objects
  • Active Directory schema modifications affecting default user rights
  • Windows Update installations that modify security policy defaults
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4704 to understand what user right was assigned and to whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4704 by right-clicking the Security log and selecting Filter Current Log
  4. In the filter dialog, enter 4704 in the Event IDs field and click OK
  5. Double-click on a 4704 event to view details. Key fields to examine:
    • Subject: The account that initiated the assignment
    • Privilege Name: The specific user right assigned (e.g., SeServiceLogonRight)
    • Target Account: The security principal receiving the right
    • Process Information: The process that performed the assignment
Pro tip: Cross-reference the timestamp with Group Policy processing events (1502-1503) to determine if the assignment was policy-driven.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4704 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent 4704 events with detailed information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 50 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        PrivilegeName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    }
}
  3. Filter for specific user rights assignments:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} | Where-Object {
    $_.Message -like '*SeServiceLogonRight*'
} | Select-Object TimeCreated, Message
  4. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 100 | 
Export-Csv -Path "C:\Temp\UserRightAssignments.csv" -NoTypeInformation
Warning: Large Security logs can impact performance. Use -MaxEvents parameter to limit results.
03

Correlate with Group Policy Processing

Determine if user right assignments are legitimate Group Policy operations or potential security concerns.

  1. Check Group Policy processing events in the System log:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} -MaxEvents 20 | 
Select-Object TimeCreated, Id, LevelDisplayName, Message
  2. Compare timestamps between Group Policy events and 4704 events:
    $gpEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502} -MaxEvents 10
$userRightEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 10

foreach ($gpEvent in $gpEvents) {
    $correlatedEvents = $userRightEvents | Where-Object {
        [Math]::Abs(($_.TimeCreated - $gpEvent.TimeCreated).TotalMinutes) -lt 5
    }
    if ($correlatedEvents) {
        Write-Host "GP Event: $($gpEvent.TimeCreated) - Correlated 4704 events: $($correlatedEvents.Count)"
    }
}
  3. Review current Group Policy security settings:
    secedit /export /cfg C:\Temp\current_security_policy.inf
Get-Content C:\Temp\current_security_policy.inf | Select-String "Se.*Right"
  4. Check for unexpected user right assignments by comparing against baseline:
    $baseline = @('SeServiceLogonRight', 'SeInteractiveLogonRight', 'SeNetworkLogonRight')
$recent4704 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 50
$recent4704 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $privilege = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    if ($privilege -notin $baseline) {
        Write-Warning "Unusual privilege assignment: $privilege at $($_.TimeCreated)"
    }
}
04

Investigate Security Policy Changes

Perform deep analysis of security policy modifications that triggered the user right assignments.

  1. Check Local Security Policy current state:
    Get-LocalUser | Select-Object Name, Enabled, LastLogon
Get-LocalGroup | Select-Object Name, Description
  2. Review security audit policy settings:
    auditpol /get /category:"Privilege Use" /r
auditpol /get /category:"Policy Change" /r
  3. Examine registry locations for user rights assignments:
    $userRightsPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
Get-ItemProperty -Path $userRightsPath -Name "*" | 
Select-Object PSChildName, PSPath | Where-Object {$_.PSChildName -like "*Right*"}
  4. Check for recent security template applications:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1704,1705} -MaxEvents 20 | 
Select-Object TimeCreated, Id, Message
  5. Analyze process information from 4704 events to identify the source:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 20 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $processName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    $processId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
    Write-Host "Process: $processName (PID: $processId) at $($_.TimeCreated)"
}
Pro tip: Document baseline user rights assignments during normal operations to quickly identify anomalies.
05

Advanced Security Analysis and Monitoring

Implement comprehensive monitoring and analysis for ongoing security posture management.

  1. Create a PowerShell monitoring script for continuous analysis:
    # Save as Monitor-UserRights.ps1
param(
    [int]$Hours = 24,
    [string]$OutputPath = "C:\Temp\UserRightAnalysis.csv"
)

$startTime = (Get-Date).AddHours(-$Hours)
$events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4704
    StartTime=$startTime
}

$analysis = $events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUser = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        PrivilegeName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
        TargetUser = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    }
}

$analysis | Export-Csv -Path $OutputPath -NoTypeInformation
Write-Host "Analysis exported to $OutputPath"
  2. Set up Windows Event Forwarding for centralized monitoring:
    # Configure WEF subscription (run on collector)
wecutil cs UserRightAssignments.xml

# Sample subscription XML content:
# <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
#   <SubscriptionId>UserRightAssignments</SubscriptionId>
#   <Query><![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[EventID=4704]]</Select></Query></QueryList>]]></Query>
# </Subscription>
  3. Implement automated alerting for suspicious assignments:
    # Check for high-privilege assignments
$dangerousRights = @(
    'SeTcbPrivilege',
    'SeDebugPrivilege', 
    'SeLoadDriverPrivilege',
    'SeTakeOwnershipPrivilege'
)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4704} -MaxEvents 100 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $privilege = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeName'} | Select-Object -ExpandProperty '#text'
    if ($privilege -in $dangerousRights) {
        $target = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        Write-Warning "ALERT: Dangerous privilege $privilege assigned to $target at $($_.TimeCreated)"
        # Add email/SIEM integration here
    }
}
  4. Create baseline documentation:
    # Generate current user rights baseline
$baseline = @{}
secedit /export /cfg C:\Temp\baseline.inf
$content = Get-Content C:\Temp\baseline.inf
$content | Where-Object {$_ -match "^Se.*Right"} | ForEach-Object {
    $parts = $_ -split " = "
    $baseline[$parts[0]] = $parts[1]
}
$baseline | ConvertTo-Json | Out-File C:\Temp\UserRightsBaseline.json
Warning: Monitor high-privilege assignments closely as they often indicate compromise or policy misconfiguration.

Overview

Event ID 4704 fires whenever Windows assigns a user right to a security principal (user, group, or computer account) through Group Policy processing or local security policy modifications. This event appears in the Security log and serves as a critical audit trail for privilege escalation monitoring and compliance requirements.

The event captures detailed information about which user right was assigned, to whom it was assigned, and the context of the assignment. Common scenarios include Group Policy refresh cycles, manual security policy changes, and domain controller replication events. Security teams rely on this event to track privilege changes across their Windows infrastructure.

Unlike privilege use events, Event ID 4704 specifically documents the assignment of rights rather than their exercise. This makes it essential for understanding the security posture evolution of Windows systems and detecting unauthorized privilege grants that could indicate compromise or policy drift.

Frequently Asked Questions

What does Event ID 4704 mean and why is it important?+
Event ID 4704 indicates that a user right has been assigned to a security principal (user, group, or computer account) on the system. This event is crucial for security auditing because it tracks privilege assignments, which are fundamental to Windows security architecture. Organizations use this event to monitor privilege escalation, ensure compliance with security policies, and detect unauthorized access grants. The event fires during Group Policy processing, manual security policy changes, and administrative modifications, making it essential for understanding how privileges are distributed across your Windows infrastructure.
How can I distinguish between legitimate Group Policy assignments and potential security threats in Event ID 4704?+
Legitimate Group Policy assignments typically occur during predictable timeframes: system startup, scheduled Group Policy refresh cycles (every 90-120 minutes for computers, 90 minutes for users), or after administrative policy changes. Correlate Event ID 4704 with Group Policy processing events (1502-1503) in the System log—they should occur within minutes of each other. Suspicious indicators include: assignments outside normal business hours, unusual user rights like SeDebugPrivilege or SeTcbPrivilege being granted to non-administrative accounts, assignments not correlated with Group Policy events, or assignments initiated by unexpected processes. Always verify the Subject field to ensure the assignment was initiated by authorized administrative accounts.
Which user rights assignments should trigger immediate security alerts?+
Several user rights assignments warrant immediate investigation: SeTcbPrivilege (Act as part of the operating system), SeDebugPrivilege (Debug programs), SeLoadDriverPrivilege (Load and unload device drivers), SeTakeOwnershipPrivilege (Take ownership of files), SeRestorePrivilege (Restore files and directories), and SeBackupPrivilege (Back up files and directories). These rights provide extensive system access and are commonly abused by attackers for privilege escalation and persistence. Additionally, monitor assignments of SeServiceLogonRight to user accounts (rather than service accounts), SeInteractiveLogonRight to service accounts, and any assignments to recently created accounts or accounts with suspicious naming patterns.
How do I investigate Event ID 4704 when it appears frequently in my environment?+
Frequent Event ID 4704 occurrences are often normal in Active Directory environments due to Group Policy processing, but investigation is warranted if the frequency suddenly increases. Start by filtering events by time range and analyzing patterns—look for specific user rights, target accounts, and initiating processes. Use PowerShell to group events by PrivilegeName and TargetUserName to identify the most common assignments. Check if the frequency correlates with Group Policy changes, new software installations, or administrative activities. Create a baseline of normal assignment patterns during a stable period, then compare current activity against this baseline. If assignments are policy-driven, verify that Group Policy settings align with your organization's security requirements.
Can Event ID 4704 help detect advanced persistent threats (APTs) and insider threats?+
Yes, Event ID 4704 is valuable for detecting both APTs and insider threats, though it requires correlation with other security events for comprehensive analysis. APTs often manipulate user rights as part of their persistence strategy—look for unusual privilege assignments followed by logon events (4624) and privilege use events (4672, 4673). Insider threats may manifest as gradual privilege accumulation or assignments outside normal administrative processes. Key detection strategies include: monitoring for privilege assignments to accounts that don't typically receive them, correlating assignments with subsequent suspicious activities, tracking assignments made outside business hours or by non-administrative accounts, and identifying patterns where multiple high-value privileges are assigned to the same account over time. Combine this analysis with user behavior analytics and network monitoring for optimal threat detection.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4704 and related privilege assignment monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows User Rights Assignment DocumentationOfficial documentation covering all Windows user rights, their purposes, and security implications for proper Event ID 4704 analysis.https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4704#security-auditing#user-rights

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...