ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Server monitoring dashboard displaying Active Directory domain trust relationships and security audit logs
Event ID 4716InformationSecurityWindows

Windows Event ID 4716 – Security: A Trusted Domain Information Was Modified

Event ID 4716 logs when trusted domain information is modified in Active Directory, indicating changes to domain trust relationships that affect authentication and authorization across domains.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4716Security 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4716 represents a security audit event that occurs when trusted domain information is modified in Active Directory. This event is generated by domain controllers when changes are made to domain trust relationships, which are fundamental to multi-domain Active Directory environments.

Trust relationships enable users in one domain to access resources in another domain without requiring separate credentials. When these relationships are modified, Event ID 4716 captures the change for security auditing purposes. The event includes comprehensive details about the modification, including the user account that initiated the change, the specific trust that was modified, and the nature of the changes made.

The event is particularly important in enterprise environments where multiple domains exist within a forest or where external trusts are established with other organizations. Any modification to trust relationships can have significant security implications, as these changes affect authentication flows, resource access permissions, and security boundaries between domains.

Modern Windows Server versions in 2026 have enhanced the granularity of this event, providing more detailed information about trust modifications and better integration with advanced threat protection systems. The event helps security teams maintain visibility into critical infrastructure changes that could be exploited by attackers attempting to escalate privileges or move laterally across domain boundaries.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator modifying trust authentication settings or encryption types
  • Changes to trust direction (one-way to two-way or vice versa)
  • Modification of trust validation settings or selective authentication
  • Updates to trust passwords or shared secrets
  • Changes to trust filtering or quarantine settings
  • Modification of trust attributes through PowerShell or administrative tools
  • Automated trust maintenance operations by domain controllers
  • Trust relationship repairs or reestablishment procedures
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4716 entry to understand what was modified.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4716 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: Account that made the change
    • Trusted Domain Information: Details about the modified trust
    • Changes Made: Specific modifications performed
  6. Note the timestamp and correlate with any scheduled maintenance or administrative activities
Pro tip: The event description includes before and after values for modified trust attributes, making it easy to identify exactly what changed.
02

Query Events with PowerShell

Use PowerShell to query and analyze Event ID 4716 entries across multiple domain controllers.

  1. Open PowerShell as Administrator
  2. Query recent trust modification events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4716} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4716; StartTime=$StartTime}
$Events | Format-Table TimeCreated, Message -Wrap
  4. Extract specific trust information:
    $Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $EventData = $Event.Event.EventData.Data
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        Domain = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        TrustedDomain = ($EventData | Where-Object {$_.Name -eq 'TrustedDomainName'}).'#text'
    }
}
03

Verify Trust Status and Configuration

Validate the current trust configuration to ensure modifications were applied correctly and identify any issues.

  1. Check trust relationships using netdom:
    netdom trust /domain:yourdomain.com /verify
  2. List all trust relationships:
    Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType, Created, Modified
  3. Test trust connectivity:
    Test-ComputerSecureChannel -Server dc01.yourdomain.com
  4. Verify trust authentication:
    nltest /trusted_domains
  5. Check trust validation settings:
    Get-ADTrust -Identity "TrustedDomainName" | Select-Object SelectiveAuthentication, SIDFilteringQuarantined
  6. Review trust properties in Active Directory Domains and Trusts console
Warning: Always test trust functionality after modifications to ensure authentication and resource access work correctly.
04

Audit Trust Modification History

Perform comprehensive auditing of trust modifications to identify patterns or unauthorized changes.

  1. Enable advanced audit policies if not already configured:
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
  2. Query trust modification events across all domain controllers:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Invoke-Command -ComputerName $DC.Name -ScriptBlock {
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4716} -MaxEvents 20 -ErrorAction SilentlyContinue
    }
}
  3. Create a comprehensive trust audit report:
    $TrustEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4716} -MaxEvents 100
$Report = $TrustEvents | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        Domain = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        TrustedDomain = ($EventData | Where-Object {$_.Name -eq 'TrustedDomainName'}).'#text'
        Changes = $_.Message
    }
}
$Report | Export-Csv -Path "C:\TrustAudit.csv" -NoTypeInformation
05

Implement Monitoring and Alerting

Set up proactive monitoring for trust modifications to detect unauthorized changes quickly.

  1. Create a scheduled task to monitor Event ID 4716:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\TrustMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
$Principal = New-ScheduledTaskPrincipal -UserID "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "TrustModificationMonitor" -Action $Action -Trigger $Trigger -Principal $Principal
  2. Create the monitoring script (C:\Scripts\TrustMonitor.ps1):
    # Check for new Event ID 4716 entries
$LastCheck = Get-Content "C:\Scripts\LastCheck.txt" -ErrorAction SilentlyContinue
if (-not $LastCheck) { $LastCheck = (Get-Date).AddHours(-1) }

$NewEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4716
    StartTime=[DateTime]$LastCheck
} -ErrorAction SilentlyContinue

if ($NewEvents) {
    # Send alert email or notification
    $Body = "Trust modification detected: $($NewEvents.Count) events"
    Send-MailMessage -To "admin@company.com" -From "monitor@company.com" -Subject "Trust Modification Alert" -Body $Body -SmtpServer "mail.company.com"
}

Get-Date | Out-File "C:\Scripts\LastCheck.txt"
  3. Configure Windows Event Forwarding to centralize trust modification events
  4. Set up SIEM integration to correlate trust changes with other security events
Pro tip: Consider implementing approval workflows for trust modifications in production environments to prevent unauthorized changes.

Overview

Event ID 4716 fires when trusted domain information is modified within Active Directory. This event captures changes to domain trust relationships, which are critical components of multi-domain environments. The event appears in the Security log on domain controllers when administrators modify trust properties, authentication settings, or trust validation parameters.

This event is part of the advanced audit policy for Account Management and specifically tracks modifications to trusted domain objects. In enterprise environments with complex domain structures, this event helps administrators track changes that could impact cross-domain authentication, resource access, and security boundaries. The event provides detailed information about what was changed, who made the change, and when it occurred.

Domain controllers generate this event during trust establishment, modification of trust properties, or when trust validation settings are updated. The event includes the Security ID of the account making the change, the target domain information, and specific details about the modifications performed on the trust relationship.

Frequently Asked Questions

What does Event ID 4716 indicate about domain security?+
Event ID 4716 indicates that trusted domain information has been modified, which is a significant security event. Trust relationships control authentication and authorization between domains, so any changes can affect security boundaries. This event helps administrators track when trust configurations are altered, who made the changes, and what specific modifications occurred. In security terms, unauthorized trust modifications could potentially allow attackers to escalate privileges or move laterally between domains.
How can I determine what specific trust changes were made in Event ID 4716?+
The Event ID 4716 entry contains detailed information about the specific changes made to the trust relationship. In the event details, look for the 'Changes Made' section which shows before and after values for modified attributes. Common changes include trust direction modifications, authentication type updates, encryption changes, and selective authentication settings. You can also use PowerShell to parse the event XML data and extract specific change details programmatically for analysis.
Should I be concerned about frequent Event ID 4716 entries?+
Frequent Event ID 4716 entries warrant investigation, as trust relationships should not change frequently in stable environments. Regular occurrences could indicate automated trust maintenance, but they could also suggest unauthorized modifications or misconfigurations. Establish a baseline of normal trust modification patterns in your environment and investigate any deviations. Pay particular attention to changes made outside of maintenance windows or by unexpected user accounts.
Can Event ID 4716 help detect privilege escalation attacks?+
Yes, Event ID 4716 can be valuable for detecting certain privilege escalation attacks, particularly those involving trust relationship manipulation. Attackers with sufficient privileges might attempt to modify trust settings to weaken security boundaries or enable unauthorized access between domains. Monitor for trust modifications that reduce security settings, such as disabling selective authentication or changing trust directions. Correlate these events with other suspicious activities like unusual logon patterns or privilege changes.
How do I configure auditing to ensure Event ID 4716 is captured?+
To ensure Event ID 4716 is captured, enable the 'Audit Computer Account Management' policy under Advanced Audit Policy Configuration. Use the command 'auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable' to configure this setting. This policy should be applied to all domain controllers in your environment. Additionally, ensure that the Security log has sufficient size to retain these events, as trust modifications are critical security events that should be preserved for analysis and compliance purposes.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit PoliciesOfficial Microsoft documentation covering advanced audit policy configuration including computer account management auditing.https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
2
Microsoft Docs - Domain and Forest TrustsComprehensive guide to understanding and managing domain trust relationships in Active Directory environments.https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/forest-design-concepts
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4716#domain-trusts#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...