none
Event ID: 4917 log file

    Question

  • Hallo!

    I have a problem in the "Event Viewer" the Security log keeps getting the same message  prntscr.com/aqukwt and i have no idea how to fix the problem.

    As far as i can tell from the message its because a "Group Policy" is getting changed but i am not changing anything and the message keeps coming as you can see on the number of events! 

    And i can't really find someone that has experienced the same thing

    Any/all help will be much appreciated!

    Monday, April 11, 2016 11:04 AM

Answers

  • Hi Kenneth,

    Did you use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration.

    Whether you apply advanced audit policy by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy settings can cause unexpected results. If you use Advanced Audit Policy Configuration settings or use logon scripts (for computers running Windows Vista or Windows Server 2008) to apply advanced audit policy, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

    For more information, you could refer to the article below.

    Advanced Security Auditing FAQ

    https://technet.microsoft.com/en-us/library/ff182311(WS.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Kenneth Skov Wednesday, April 13, 2016 9:50 AM
    Tuesday, April 12, 2016 8:15 AM
    Moderator

All replies

  • Hi Kenneth,

    Would you post more detailed information about Event ID 4917?

    In addition, here is an article below about event ID 4917, source: Windows SharePoint Services 3 may be helpful to you.

    Event ID 4971 (Windows SharePoint Services health model)

    https://technet.microsoft.com/en-us/library/cc560991%28v=office.12%29.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 11, 2016 12:47 PM
    Moderator
  • Hallo Jay

    Thank you for the reply!

    it's not what i was looking for but thanks for link might be usefull sometime!

    If it helps i will post the event log

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          11-04-2016 15:12:03
    Event ID:      4719
    Task Category: Audit Policy Change
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      01srv047.ors.local
    Description:
    System audit policy was changed.

    Subject:
    Security ID: SYSTEM
    Account Name: server01$
    Account Domain: MyDomain
    Logon ID: 0x3E7

    Audit Policy Change:
    Category: Account Management
    Subcategory: Other Account Management Events
    Subcategory GUID: {0cce923a-69ae-11d9-bed3-505054503030}
    Changes: Success removed, Failure removed
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4719</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>13568</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2016-04-11T13:12:03.445015500Z" />
        <EventRecordID>2002504425</EventRecordID>
        <Correlation />
        <Execution ProcessID="524" ThreadID="676" />
        <Channel>Security</Channel>
        <Computer>01srv047.ors.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">01SRV047$</Data>
        <Data Name="SubjectDomainName">ORS</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
        <Data Name="CategoryId">%%8278</Data>
        <Data Name="SubcategoryId">%%13829</Data>
        <Data Name="SubcategoryGuid">{0CCE923A-69AE-11D9-BED3-505054503030}</Data>
        <Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
      </EventData>
    </Event>

    Monday, April 11, 2016 1:19 PM
  • Hi Kenneth,

    Did you use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration.

    Whether you apply advanced audit policy by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy settings can cause unexpected results. If you use Advanced Audit Policy Configuration settings or use logon scripts (for computers running Windows Vista or Windows Server 2008) to apply advanced audit policy, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

    For more information, you could refer to the article below.

    Advanced Security Auditing FAQ

    https://technet.microsoft.com/en-us/library/ff182311(WS.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Kenneth Skov Wednesday, April 13, 2016 9:50 AM
    Tuesday, April 12, 2016 8:15 AM
    Moderator