Event Details
User Activity->Account Management->Account Changes->User Account Changes->Windows 2008->EventID 4830 - SID History was removed from an account.
EventID 4830 - SID History was removed from an account.
 Sample: 
SID History was removed from an account.

Subject:
	Security ID:		ITSS\igor.ilyin
	Account Name:		igor.ilyin
	Account Domain:		ITSS
	Logon ID:		0x6BD4B1CB

Target Account:
	Security ID:		ITSS\AlanBell
	Account Name:		AlanBell
	Account Domain:		ITSS

Additional Information:
	Privileges:		-
	SID List:			-
===========================
Description template stored in adtschema.dll:
===========================
SID History was removed from an account.

Subject:
	Security ID:		%6
	Account Name:		%7
	Account Domain:		%8
	Logon ID:		%9

Target Account:
	Security ID:		%5
	Account Name:		%3
	Account Domain:		%4

Additional Information:
	Privileges:		%10
	SID List:			%11
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory User Account Management
EventId 4830
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name igor.ilyin
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "User Account Changes" User Account Changes
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. - High
WhoDomain Subject: Account Domain ITSS
WhereDomain -
Whom Account or user name being managed. Whom ITSS\AlanBell
Comments
You must be logged in to comment