ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Server Active Directory Group Policy Management Console displaying security policy configurations
Event ID 4936InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4936 – Microsoft-Windows-Security-Auditing: User Account Management Policy Change

Event ID 4936 logs changes to user account management policies in Active Directory. This security audit event fires when administrators modify password policies, account lockout settings, or Kerberos authentication policies.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4936Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4936 represents a fundamental component of Windows security auditing infrastructure, specifically designed to track changes to user account management policies within Active Directory domains. When this event fires, it indicates that someone with sufficient privileges has modified critical authentication and authorization policies that govern how user accounts behave within the domain.

The event captures modifications to several key policy areas including Default Domain Policy settings for password complexity, minimum password length, password history, maximum password age, minimum password age, account lockout threshold, account lockout duration, and reset account lockout counter settings. Additionally, it tracks changes to Kerberos policies such as maximum lifetime for user tickets, maximum lifetime for service tickets, maximum tolerance for computer clock synchronization, and enforce user logon restrictions.

This audit event is particularly valuable in enterprise environments where compliance requirements mandate detailed tracking of security policy changes. The event provides forensic-quality information including the exact timestamp of the change, the user account that initiated the modification, the workstation from which the change was made, and specific details about which policy object was altered. This granular level of detail makes Event ID 4936 indispensable for security incident response, compliance reporting, and maintaining an audit trail of administrative actions that could impact domain security.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator modifying Default Domain Policy password settings through Group Policy Management Console
  • PowerShell scripts executing Set-ADDefaultDomainPasswordPolicy or related cmdlets
  • Direct modification of domain policy objects using ADSI Edit or other low-level Active Directory tools
  • Group Policy updates being applied that contain changes to account policies
  • Automated policy management tools making programmatic changes to user account policies
  • Domain controller replication events synchronizing policy changes from other domain controllers
  • Security compliance tools automatically adjusting password policies to meet organizational requirements
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4936 to understand what policy was changed and by whom.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4936 using the filter option
  4. Double-click the event to view detailed information including:
    • Subject: The user account that made the change
    • Policy Change: Specific policy object that was modified
    • Process Information: The process that initiated the change
  5. Note the timestamp and correlate with any recent administrative activities

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4936} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Analyze Policy Changes with PowerShell

Use PowerShell to extract detailed information about the policy changes and identify patterns or unauthorized modifications.

  1. Query Event ID 4936 events with detailed filtering:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4936; StartTime=(Get-Date).AddDays(-7)}
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $Subject = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $PolicyName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'PolicyName'} | Select-Object -ExpandProperty '#text'
    Write-Output "Time: $($Event.TimeCreated) | User: $Subject | Policy: $PolicyName"
}
  1. Cross-reference the changes with current domain policy settings:
Get-ADDefaultDomainPasswordPolicy | Format-List *
  1. Check for any recent Group Policy modifications that might correlate with the events
03

Investigate Group Policy Management Changes

Examine Group Policy Management Console logs and settings to understand the context of policy changes.

  1. Open Group Policy Management Console (gpmc.msc)
  2. Navigate to ForestDomainsYour DomainDefault Domain Policy
  3. Right-click Default Domain Policy and select Edit
  4. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount Policies
  5. Review current settings for:
    • Password Policy
    • Account Lockout Policy
    • Kerberos Policy
  6. Check the Security tab of the Default Domain Policy to see who has permissions to modify it
  7. Use PowerShell to get detailed policy information:
Get-GPO -Name "Default Domain Policy" | Get-GPPermission -All | Where-Object {$_.Permission -eq "GpoEdit"}
04

Enable Advanced Auditing for Policy Changes

Configure comprehensive auditing to capture more detailed information about future policy changes.

  1. Open Group Policy Management Console and edit the Default Domain Controllers Policy
  2. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesPolicy Change
  3. Enable Audit Authentication Policy Change for both Success and Failure
  4. Enable Audit Authorization Policy Change for both Success and Failure
  5. Apply the policy and run gpupdate on domain controllers:
gpupdate /force
  1. Verify the audit settings are applied:
auditpol /get /subcategory:"Authentication Policy Change"
  1. Set up automated monitoring using PowerShell:
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4936" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    Write-Host "Policy Change Detected: $($Event.TimeGenerated) - $($Event.Message)"
}
05

Implement Comprehensive Policy Change Monitoring

Deploy enterprise-level monitoring and alerting for critical policy changes using advanced PowerShell scripting and Windows Event Forwarding.

  1. Create a comprehensive monitoring script that tracks all policy-related events:
# Save as Monitor-PolicyChanges.ps1
param(
    [string]$LogPath = "C:\Logs\PolicyChanges.log",
    [string]$SMTPServer = "mail.company.com",
    [string]$AlertEmail = "security@company.com"
)

$EventFilter = @{
    LogName = 'Security'
    Id = 4936, 4739, 4713, 4719
    StartTime = (Get-Date).AddMinutes(-5)
}

$Events = Get-WinEvent -FilterHashtable $EventFilter -ErrorAction SilentlyContinue

foreach ($Event in $Events) {
    $EventData = [xml]$Event.ToXml()
    $LogEntry = "$(Get-Date): Event $($Event.Id) - User: $($EventData.Event.EventData.Data[1].'#text') - Policy: $($EventData.Event.EventData.Data[4].'#text')"
    Add-Content -Path $LogPath -Value $LogEntry
    
    # Send alert for critical changes
    if ($Event.Id -eq 4936) {
        Send-MailMessage -To $AlertEmail -From "noreply@company.com" -Subject "Critical Policy Change Detected" -Body $LogEntry -SmtpServer $SMTPServer
    }
}
  1. Schedule the script to run every 5 minutes using Task Scheduler:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-PolicyChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "PolicyChangeMonitor" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  1. Configure Windows Event Forwarding to centralize policy change events from all domain controllers
  2. Set up custom Event Viewer views to filter and display policy change events across the domain

Overview

Event ID 4936 is a critical security audit event that tracks modifications to user account management policies within Active Directory environments. This event fires whenever domain administrators or users with appropriate privileges modify password policies, account lockout configurations, or Kerberos authentication settings through Group Policy Management Console, PowerShell cmdlets, or direct Active Directory modifications.

The event appears in the Security log on domain controllers and provides detailed information about what policy was changed, who made the change, and when it occurred. This makes it essential for compliance auditing, security monitoring, and troubleshooting authentication issues that may arise after policy modifications.

Understanding this event is crucial for domain administrators managing Windows Server 2025 environments and earlier versions, as it helps maintain visibility into critical security policy changes that could impact user authentication, password requirements, and overall domain security posture. The event data includes the specific policy object that was modified and the security identifier of the user who made the change.

Frequently Asked Questions

What does Event ID 4936 specifically track in Active Directory?+
Event ID 4936 tracks changes to user account management policies within Active Directory, including modifications to password policies (complexity, length, history, age requirements), account lockout policies (threshold, duration, reset counter), and Kerberos authentication policies (ticket lifetimes, clock synchronization tolerance). The event captures who made the change, when it occurred, which specific policy object was modified, and from which workstation the change was initiated. This makes it essential for maintaining security audit trails and compliance reporting in enterprise environments.
How can I determine which specific policy setting was changed when Event ID 4936 occurs?+
To identify the specific policy change, examine the event details in Event Viewer or use PowerShell to parse the event XML. The event contains fields like 'PolicyName' and 'PolicyType' that indicate which policy object was modified. You can use PowerShell to extract this information: `$EventXML = [xml]$Event.ToXml(); $PolicyName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'PolicyName'} | Select-Object -ExpandProperty '#text'`. Additionally, compare current policy settings with previous configurations using `Get-ADDefaultDomainPasswordPolicy` to identify what specifically changed.
Is Event ID 4936 generated on all domain controllers or just the one where the change was made?+
Event ID 4936 is initially generated on the domain controller where the policy change was directly made. However, due to Active Directory replication, related events may appear on other domain controllers as the policy changes replicate throughout the domain. The timing of these events depends on your replication topology and schedule. To get a complete picture of policy changes across your domain, you should monitor Event ID 4936 on all domain controllers, preferably using Windows Event Forwarding to centralize the logs for easier analysis and correlation.
Can Event ID 4936 help identify unauthorized policy changes in my domain?+
Yes, Event ID 4936 is excellent for detecting unauthorized policy changes. The event records the user account that made the change, the source workstation, and the exact timestamp. By regularly reviewing these events and correlating them with your change management processes, you can identify policy modifications that weren't properly authorized or documented. Set up automated monitoring using PowerShell scripts or SIEM solutions to alert on Event ID 4936 occurrences, especially during non-business hours or from unexpected user accounts. This helps maintain security governance and quickly respond to potential security incidents.
What should I do if I see frequent Event ID 4936 occurrences without corresponding administrative activities?+
Frequent unexpected Event ID 4936 occurrences could indicate several issues: automated scripts or applications making policy changes, malware or unauthorized access, replication issues causing duplicate events, or misconfigured Group Policy settings causing repeated policy applications. First, identify the user account and source system generating the events. Check if any scheduled tasks, service accounts, or automated tools are configured to modify policies. Review the specific policy changes to determine if they're legitimate. If the changes are unauthorized, immediately investigate for potential security breaches, reset affected accounts, and review domain controller security logs for other suspicious activities.
Documentation

References (2)

1
Microsoft Learn - Security Auditing EventsComprehensive guide to Windows security auditing events and their implementation in enterprise environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Security AuditingMicrosoft's official recommendations for configuring audit policies in Active Directory environments.https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4936#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...