Windows Security Log Event ID 617

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4713  
Discussions on Event ID 617
Ask a question about this event

617: Kerberos Policy Changed

On this page

W2k logs this event each time the DC applies group policy. W3 corrects this problem and only logs the event when it detects an actual change to the policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy.

Unfortunately the Change By fields don't identify who actually changed the policy because audit policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs. The time is when the policy was applied rather than the time the group policy object was changed.

Free Security Log Resources by Randy

Description Fields in 617

  • Kerberos Policy Changed:
  • Changed By:
    • User Name: %1
    • Domain Name: %2
    • Logon ID: %3
  • Changes made:
    ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>))
    %4

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 617

Kerberos Policy Changed:
Changed By:
  User Name:W3DC$
  Domain Name:ELM
  Logon ID:(0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:

: ( ))
KerOpts: 0x80 (none); KerMinT: 0x53d1ac1000 (none); KerMaxT: 0x53d1ac1000 (none); KerMaxR: 0x58028e44000 (none); KerProxy: 0xb2d05e00 (none); KerLogoff: 0x9ef7800000000 (none);

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources