ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs on a domain controller monitoring station
Event ID 4794InformationSecurityWindows

Windows Event ID 4794 – Security: An Attempt Was Made to Set the Directory Services Restore Mode Administrator Password

Event ID 4794 fires when someone attempts to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This security event tracks critical DSRM password modifications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4794Security 5 methods 9 min
Event Reference

What This Event Means

Event ID 4794 represents a critical security audit event that Windows generates whenever the Directory Services Restore Mode administrator password undergoes modification attempts. This event serves as a cornerstone for monitoring one of the most privileged accounts in a Windows domain environment.

The DSRM administrator account exists independently of Active Directory and provides emergency access when domain controllers boot into Directory Services Restore Mode. This special boot mode allows administrators to perform offline maintenance, restore AD databases, or recover from catastrophic failures. Because the DSRM account operates outside normal AD security boundaries, its password changes require meticulous tracking.

Windows logs this event in the Security log with detailed information including the security identifier (SID) of the account performing the operation, the target domain controller name, and precise timestamp data. The event fires during both successful and failed password change attempts, providing comprehensive audit coverage for compliance frameworks like SOX, HIPAA, and PCI-DSS.

In modern Windows Server 2025 environments, this event integrates with Advanced Threat Analytics and Microsoft Defender for Identity to detect anomalous DSRM password changes that might indicate privilege escalation attacks or insider threats targeting domain infrastructure.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator using ntdsutil to reset DSRM password during planned maintenance
  • Automated scripts or configuration management tools modifying DSRM credentials
  • Security policy enforcement requiring periodic DSRM password rotation
  • Recovery operations following domain controller failures or corruption
  • Unauthorized access attempts targeting the DSRM administrator account
  • Group Policy settings triggering automatic DSRM password updates
  • Third-party Active Directory management tools performing DSRM operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand who initiated the DSRM password change and when it occurred.

  1. Open Event Viewer on the affected domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4794 using the filter option
  4. Double-click the event to view detailed information including:
    • Subject Security ID and Account Name
    • Target Account Name (DSRM administrator)
    • Process Information and Process Name
    • Network Information if applicable
  5. Document the timestamp, source workstation, and user account for audit purposes

Use PowerShell to query multiple domain controllers simultaneously:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4794} -ComputerName DC01,DC02,DC03 | Select-Object TimeCreated,MachineName,Message | Format-Table -AutoSize
02

Verify DSRM Password Change Authorization

Confirm whether the DSRM password change was authorized and follows your organization's change management procedures.

  1. Check your change management system for approved DSRM password rotation requests
  2. Verify the user account has appropriate permissions for DSRM operations
  3. Review Active Directory administrative group memberships:
Get-ADGroupMember "Domain Admins" | Select-Object Name,SamAccountName
Get-ADGroupMember "Enterprise Admins" | Select-Object Name,SamAccountName
  1. Cross-reference the event timestamp with maintenance windows or scheduled tasks
  2. Interview the user identified in the event to confirm legitimate activity
  3. Check for corresponding events on other domain controllers in the same timeframe
Warning: Unauthorized DSRM password changes represent a critical security incident requiring immediate investigation and potential incident response activation.
03

Analyze Process and Network Context

Examine the process information and network context to determine how the DSRM password change was initiated.

  1. Review the Process Name field in Event ID 4794 to identify the tool used (typically ntdsutil.exe)
  2. Check for suspicious processes or unexpected applications performing DSRM operations
  3. Analyze network information if the change originated from a remote system:
# Check for related logon events around the same time
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like "*username_from_4794*"}
  1. Examine parent processes and command-line arguments if available through advanced auditing
  2. Correlate with other security events like Event ID 4672 (Special privileges assigned to new logon)
  3. Review firewall logs and network monitoring tools for suspicious connections to the domain controller

Enable advanced process auditing for future monitoring:

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
04

Implement Enhanced DSRM Monitoring

Deploy comprehensive monitoring to detect and alert on future DSRM password changes in real-time.

  1. Configure Windows Event Forwarding to centralize Event ID 4794 collection:
<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[EventID=4794]]</Select>
  </Query>
</QueryList>
  1. Create PowerShell monitoring script for immediate alerting:
# DSRM Password Change Monitor
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4794" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    Send-MailMessage -To "security@company.com" -Subject "DSRM Password Change Detected" -Body "Event ID 4794 detected on $($Event.ComputerName) at $($Event.TimeGenerated)"
}
  1. Configure SIEM integration to correlate DSRM events with other security indicators
  2. Set up automated response workflows for unauthorized DSRM password changes
  3. Implement Group Policy to enforce DSRM password complexity and rotation policies
05

Forensic Analysis and Incident Response

Conduct thorough forensic analysis when Event ID 4794 indicates potential security incidents or policy violations.

  1. Preserve evidence by creating forensic copies of relevant log files:
# Export Security logs for forensic analysis
wevtutil epl Security C:\Forensics\Security_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx
wevtutil epl System C:\Forensics\System_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx
  1. Analyze registry changes related to DSRM configuration:
# Check DSRM-related registry keys
Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -ErrorAction SilentlyContinue
  1. Review Active Directory replication logs for anomalies
  2. Examine memory dumps if available for process analysis
  3. Coordinate with incident response team to determine scope and impact
  4. Document findings and implement remediation measures
Pro tip: Enable PowerShell script block logging and module logging to capture detailed command execution context for DSRM operations.

Overview

Event ID 4794 appears in the Security log whenever an administrator attempts to set or modify the Directory Services Restore Mode (DSRM) administrator password on a Windows domain controller. This event fires regardless of whether the password change succeeds or fails, making it a crucial audit trail for DSRM security operations.

The DSRM administrator account provides emergency access to domain controllers when Active Directory services are offline or corrupted. Since this account bypasses normal AD authentication, tracking password changes through Event ID 4794 becomes essential for security monitoring and compliance auditing.

This event typically appears during planned maintenance windows when administrators use ntdsutil to reset DSRM passwords, but unexpected occurrences may indicate unauthorized access attempts or security policy violations. The event captures the user account initiating the change, the target domain controller, and timestamp information for forensic analysis.

Frequently Asked Questions

What does Event ID 4794 mean and why is it important?+
Event ID 4794 indicates an attempt to set or change the Directory Services Restore Mode (DSRM) administrator password on a domain controller. This event is critically important because the DSRM account provides emergency access to domain controllers outside of normal Active Directory authentication. Any changes to this password should be carefully monitored and audited since unauthorized modifications could indicate privilege escalation attacks or insider threats targeting your domain infrastructure.
How can I tell if an Event ID 4794 represents legitimate or suspicious activity?+
Legitimate Event ID 4794 occurrences typically correlate with approved change management requests, scheduled maintenance windows, or disaster recovery operations. The event should show authorized administrator accounts using standard tools like ntdsutil.exe during business hours or planned maintenance periods. Suspicious indicators include unexpected timestamps, unauthorized user accounts, unusual process names, or changes occurring outside of approved maintenance windows. Always cross-reference with your change management system and verify with the user account identified in the event.
What tools typically generate Event ID 4794 and should I be concerned about other processes?+
The most common and legitimate tool generating Event ID 4794 is ntdsutil.exe, Microsoft's built-in utility for Active Directory database maintenance. PowerShell scripts using .NET Active Directory classes or third-party AD management tools may also trigger this event. Be concerned if you see unusual process names, unsigned executables, or processes running from temporary directories. Any DSRM password changes from unexpected applications warrant immediate investigation as they could indicate malware or unauthorized tools attempting to compromise your domain controllers.
How often should DSRM passwords be changed and what's considered best practice?+
Microsoft recommends changing DSRM passwords regularly, typically every 90-180 days depending on your organization's security policies. Best practices include using complex passwords that differ from other administrative accounts, documenting password changes in secure change management systems, and ensuring multiple authorized administrators know the current password for emergency situations. Some organizations implement automated rotation using PowerShell scripts, but manual changes during maintenance windows remain common. Always test DSRM access after password changes to ensure emergency recovery capabilities remain functional.
Can Event ID 4794 help detect advanced persistent threats (APTs) targeting my domain?+
Yes, Event ID 4794 serves as a valuable indicator for detecting APTs targeting domain infrastructure. Advanced attackers often attempt to modify DSRM passwords to establish persistent backdoor access that survives Active Directory restoration or recovery operations. Unusual patterns like DSRM password changes during off-hours, from unexpected user accounts, or coinciding with other suspicious activities may indicate APT activity. Integrate Event ID 4794 monitoring with your SIEM solution and correlate with other security events like unusual logons, privilege escalations, or lateral movement indicators to detect sophisticated attacks targeting your domain controllers.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4794 and related DSRM security monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Directory Services Restore Mode Administrator PasswordOfficial documentation covering DSRM administrator account management and password reset procedures using ntdsutil.https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754363(v=ws.11)
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4794#dsrm-password#domain-controller-security

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...