How to verify what casued the event ID 4717 and, is it health?

Ka Ho Cheng 285 Reputation points
2024-11-04T09:20:23.6166667+00:00

We have received a alert from security event monitoring system that the Windows Security event ID 4717 is logged.

However I am no idea to find the root cause of this event. I try my best to:

  1. Asked all account owners that no any action as that period.
  2. Checked only one event 4688 logged before 1 minute. It is caused by Anti-virus client.
  3. No any other event before for half hour of it.
  4. Checked the ID "0x3E7" should be system instead of user.
  5. Just one event 4717 logged and no same event again for 2 weeks.

I am no sure that those 2 events are related and no reply from vendor support.

I need to check the root cause of what caused this event 4717 and is it health of our server. Thanks

圖片

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,809 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,856 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yanhong Liu 12,735 Reputation points Microsoft Vendor
    2024-11-05T03:08:50.95+00:00

    Hello,

    To investigate Windows Security Event ID 4717, which indicates that "system security access was granted to an account," you'll want to follow a systematic approach. Here’s how you can verify the root cause and assess the health of your server:

    Event ID 4717 is logged when logon rights, such as "Access this computer from the network" or "Logon as a service," are granted to an account. This event typically shows the Subject as the system itself (ID "0x3E7"), indicating that the change was made by the system rather than a user.

    Check the details of the event in the Event Viewer. Look for fields like Account Modified and Access Granted to see which account received new rights and what rights were granted.

    Check Group Policy Changes:

    Since user rights are controlled via GPOs, check the security logs on your domain controllers for any recent changes to group policy objects. Look for events related to GPO modifications, particularly around the time the 4717 event was logged.

    Correlate with Other Events:

    You mentioned an Event ID 4688 logged shortly before the 4717 event. This event indicates a new process creation. While it was caused by your antivirus client, it’s worth checking if any other processes or services were running at that time that could have triggered the rights change.

    Review Logon IDs:

    The Logon ID in the 4717 event can help you correlate it with other logon events (like Event ID 4624). This can provide context about which user or service was active when the rights were granted.

    Monitor for Anomalies:

    Since this event has only occurred once in two weeks, it may not indicate a persistent issue. However, keep an eye on similar events. If you see more occurrences, especially from accounts other than SYSTEM, it could indicate a potential security concern.

    For more details, refer to the following articles: 4717(S) System security access was granted to an account. - Windows 10 | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.