Windows Security Log Event ID 5139

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Directory Service
 • Directory Service Changes
Type Success
Corresponding events
in Windows 2003
and before
 

5139: A directory service object was moved

On this page

This event documents the move of an AD objects from one OU to another, identifying the object moved and user who moved it and its old and new location.

Of course this event will only be logged when the object's parent's audit policy has auditing enabled for moves of the object class involved and for the user performing the action or a group to which the user belongs.

Free Security Log Resources by Randy

Description Fields in 5139

Subject:

The user and logon session that moved the object.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Directory Service: 

  • Name: DNS name of the domain of the object
  • Type: "Active Directory Domain Services" or possibly other directory service if appropriate.  Maybe different value for ADAM or Lightweight Directory Services?

Object:

This is the object just deleted. 

  • Old DN: the old X.400 distinguished name of the object reflecting its old location prior to the move
  • New DN: the new X.400 distinguished name of the object reflecting its new location after to the move
  • GUID: while "GUID" would indicate this should be the globally unique identifier of the object, as of Win2008 RC1 this field appears to just be the new DN repeated
  • Class: the objectClass of the object as defined in the AD schema

Operation:

  • Correlation ID: Multiple modifications are often executed as one operation via LDAP.  This value allows you to correlate all the modification events that comprise the operation.  Just look for other events with the same Correlation ID.
  • Application Correlation ID: Always "-"?  Unknown.  Start a discussion below if you have information.

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 5139

A directory service object was moved.

Subject:

   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x27a79

Directory Service:

   Name:  acme.local
   Type:  Active Directory Domain Services

Object:

   Old DN:  CN=Napoleon Bonaparte,OU=New    York,OU=AcmeUsers,DC=acme,DC=local
   New DN: CN=Napoleon    Bonaparte,OU=France,OU=AcmeUsers,DC=acme,DC=local
   GUID:  CN=Napoleon    Bonaparte,OU=France,OU=AcmeUsers,DC=acme,DC=local
   Class:  user

Operation:

   Correlation ID:   {03012d56-855d-41ed-84ac-ec11979965d0}
   Application Correlation ID: -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources