Event ID 4001 — Starting user logon Policy processing for PrincipalSamName.

Provider: Microsoft-Windows-GroupPolicy
Channel: Operational
Level: Informational
Opcode: Start

Description

Starting user logon Policy processing for PrincipalSamName.

Message #

Starting user logon Policy processing for %2. 
Activity id: %1

Fields #

Name	Description
`PolicyActivityId` GUID	Activity id.
`PrincipalSamName` UnicodeString	SAM name of the user account for which GPO processing was started
`IsMachine` UInt32	—
`IsDomainJoined` Boolean	—
`IsBackgroundProcessing` Boolean	—
`IsAsyncProcessing` Boolean	—
`IsServiceRestart` Boolean	—
`ReasonForSyncProcessing` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 4001,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T22:32:20.905356+00:00",
    "event_record_id": 495,
    "correlation": {
      "ActivityID": "DE67DFB7-B871-42E1-B68C-4175341DA657"
    },
    "execution": {
      "process_id": 1132,
      "thread_id": 3904
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "DE67DFB7-B871-42E1-B68C-4175341DA657",
    "PrincipalSamName": "WINDEV2310EVAL\\User",
    "IsMachine": 0,
    "IsDomainJoined": false,
    "IsBackgroundProcessing": false,
    "IsAsyncProcessing": true,
    "IsServiceRestart": false,
    "ReasonForSyncProcessing": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4001-user-logon-gpo-processing-start.md