Security Event ID 4739 is not displayed correctly in Windows Server 2008 R2 and Windows 7


Symptoms


In Windows Server 2008 R2 and Windows 7, security Event ID 4739 is not displayed correctly.


Case 1:
When you see the Security Event ID 4739 in event viewer, values of changed attributes, such as min. password age, are not shown correctly.


Case 2:
When you see the Security Event ID 4739 in event viewer, or if you run WMIC NTEVENT to query event, it shows an following error.
"Invalid XML Content"


- Event
Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Event ID: 4739

Task Category: Authentication Policy Change

Level: Information

Keywords: Audit Success

Description: Domain Policy was changed

Change Type: Password Policy modified

Subject:

Security ID: SYSTEM

Account Name:  <computer name>$

Account Domain: <domain name>

Logon ID: <number>

Domain:

Domain Name: <domain name>

Domain ID: <domain name>\

Changed Attributes:
Min. Password Age:
Max. Password Age:
Force Logoff:
Lockout Threashold:
Lockout Observation window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length:
Password History Length:
Machine Account Quota:
Mixed Domain Mode:
Domain Behavior version:
OEM Information

Additional Information:

Privileges:

Cause


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in this article.

Resolution


There is no workaround currently.

User can check whether the password policy has been applied to computer by the following steps.

- Steps
1. Click start button and type "RSOP.msc" in search box.

2.  Click and check the policies under [Computer Configuration] - [Windows Settings] - [Security Settings] - [Accout Policy ] - [Password policy]