Windows Event ID 4713: Kerberos policy was changed
Windows Security Event ID 4713 records a Kerberos policy change on a domain controller.
- Applicable version
- Windows Server 2008 and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
The event is generated only on domain controllers when Kerberos policy values are changed through domain policy.
Key Fields
KerberosPolicyChange
The field lists changed parameters as Parameter_Name: new_value (old_value). Microsoft documents KerMaxT, KerMaxR, KerMinT, KerProxy, and KerOpts.
KerOpts
Enforce user logon restrictions. Microsoft documents 0x80 as Enabled and 0x0 as Disabled; disabling it weakens Kerberos logon restriction enforcement.
Subject
The account that made the change. Validate whether it is an approved domain-policy administrator and whether the change was scheduled.
Common False Positives
- Planned domain hardening, Kerberos lifetime tuning, or Group Policy maintenance can legitimately generate 4713.
- Domain controller promotion or baseline rebuilds may reapply Kerberos policy values.
Related Events
MITRE ATT&CK Mapping
- T1484.001Domain or Tenant Policy Modification: Group Policy Modification
Detection Notes
Alert on unplanned 4713 where KerberosPolicyChange sets KerOpts to 0x0, because Microsoft documents 0x80 as Enforce user logon restrictions enabled and 0x0 as disabled. That is a concrete T1484.001 signal: a domain Kerberos policy change weakens centrally managed authentication behavior. Also review large KerMaxT or KerMaxR increases because Microsoft documents the conversion formulas for ticket and renewal lifetime; correlate the Subject Logon ID to 4624 and administrative change tickets.
SecurityEvent
| where EventID == 4713
| project TimeGenerated, Computer, SubjectUserName, SubjectLogonId, KerberosPolicyChangeindex=wineventlog EventCode=4713
| table _time, host, SubjectUserName, SubjectLogonId, KerberosPolicyChangeSubject: CORP\admin.ops
Logon ID: 0x3e7
KerberosPolicyChange: KerOpts: 0x0 (0x80); KerMaxT: 0x10c388d000 (0x861c46800);