This event documents modifications to AD objects, identifying the object, user, attribute modified, the new value of the attribute if applicable and the operation performed.
Of course this event will only be logged when the object's audit policy has auditing enabled for the properties or actions involved and for the user performing the action or a group to which the user belongs.
This event is not logged for creation, deletion, undeletion or moves of AD objects. See event IDs 5137, 5138, 5139, 5141.
For users, groups and computers there are specific events for tracking most modifications. See "User account management", etc.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Directory Service:
- Name: DNS name of the domain of the object
- Type: "Active Directory Domain Services" or possibly other directory service if appropriate. Maybe different value for ADAM or Lightweight Directory Services?
Object:
This is the object upon whom the action was attempted.
- DN: the X.400 distinguished name of the object
- GUID: while "GUID" would indicate this should be the globally unique identifier of the object, as of Win2008 RC1 this event appears to just be the DN repeated
- Class: the objectClass of the object as defined in the AD schema
Attribute:
- LDAP Display Name: the attribute's name as defined in the AD schema
- Syntax (OID): (something to do with LDAP)
- Value: The actual value of the attribute
Operation:
- Type: "Value Added", "Value Deleted", etc
- Correlation ID: Multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events with the same Correlation ID.
- Application Correlation ID: Always "-"? Unknown. Start a discussion below if you have information on this field!
Edit Of A Group Policy Object
A directory service object was modified.
Subject:
Security ID: ACME-FR\Administrator
Account Name: Administrator
Account Domain: ACME-FR
Logon ID: 0xc84dfe
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: cn={0AB54C97-8836-43BB-9B53- 87556DD51F30},cn=policies,cn=system,DC=acme,DC=com
GUID: CN={0AB54C97-8836-43BB-9B53- 87556DD51F30},CN=Policies,CN=System,DC=acme,DC=com
Class: groupPolicyContainer
Attribute:
LDAP Display Name: versionNumber
Syntax (OID): 2.5.5.9
Value: 4
Operation:
Type: Value Added
Correlation ID: {ff320a1e-447a-4bb1-9196-bb3469a00b55}
Application Correlation ID: -
------------------------------------------------
Change To Display Name Of User
A directory service object was modified.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: cn=Evangeline Lilly,ou=test,DC=acme,DC=com
GUID: CN=Evangeline Lilly,OU=test,DC=acme,DC=com
Class: user
Attribute:
LDAP Display Name: displayName
Syntax (OID): 2.5.5.12
Value: Born to run character in Lost
Operation:
Type: Value Added
Correlation ID: {c0313036-edda-4f26-bdbf-a43c6013e7e3}
Application Correlation ID: -
------------------------------------------------
Change To Permissions on an OU
A directory service object was modified.
Subject:
Security ID: ACME\administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x23187
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: OU=AcmeManagers,OU=AcmeAdmins,DC-acme,DC=ru
GUID: {ae01e035-e108-4108-a098-1a3162ebe245}
Class: organizationalUnit
Attribute:
LDAP Display Name: nTSecurityDescriptor
Syntax (OID): 2.5.5.15
Value: O:DAG:DAD:AI(OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3574173841-1192904138-508017755-1000)(OA;CIIO;RPWP;bf967a0a-0de6-11d0-a285-00aa003049e2;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3574173841-1192904138-508017755-1000)(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-
Operation:
Type: Value Added
Correlation ID: {dfc8f4d7-b08c-492f-9686-99de30e1a7d1}
Application Correlation ID: -
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection