SOC Event Lookup
Event ID 4713PolicyP3

Windows Event ID 4713: Kerberos policy was changed

Windows Security Event ID 4713 records a Kerberos policy change on a domain controller.

Applicable version
Windows Server 2008 and later
Last reviewed
2026-07-13

Trigger Scenarios

The event is generated only on domain controllers when Kerberos policy values are changed through domain policy.

Key Fields

KerberosPolicyChange

The field lists changed parameters as Parameter_Name: new_value (old_value). Microsoft documents KerMaxT, KerMaxR, KerMinT, KerProxy, and KerOpts.

KerOpts

Enforce user logon restrictions. Microsoft documents 0x80 as Enabled and 0x0 as Disabled; disabling it weakens Kerberos logon restriction enforcement.

Subject

The account that made the change. Validate whether it is an approved domain-policy administrator and whether the change was scheduled.

Common False Positives

  • Planned domain hardening, Kerberos lifetime tuning, or Group Policy maintenance can legitimately generate 4713.
  • Domain controller promotion or baseline rebuilds may reapply Kerberos policy values.

Related Events

MITRE ATT&CK Mapping

  • T1484.001Domain or Tenant Policy Modification: Group Policy Modification

Detection Notes

Alert on unplanned 4713 where KerberosPolicyChange sets KerOpts to 0x0, because Microsoft documents 0x80 as Enforce user logon restrictions enabled and 0x0 as disabled. That is a concrete T1484.001 signal: a domain Kerberos policy change weakens centrally managed authentication behavior. Also review large KerMaxT or KerMaxR increases because Microsoft documents the conversion formulas for ticket and renewal lifetime; correlate the Subject Logon ID to 4624 and administrative change tickets.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4713
| project TimeGenerated, Computer, SubjectUserName, SubjectLogonId, KerberosPolicyChange
Splunk SPL
index=wineventlog EventCode=4713
| table _time, host, SubjectUserName, SubjectLogonId, KerberosPolicyChange
Sample Log
Subject: CORP\admin.ops
Logon ID: 0x3e7
KerberosPolicyChange: KerOpts: 0x0 (0x80); KerMaxT: 0x10c388d000 (0x861c46800);

Source