Active Directory Change and Security Event IDs

Active Directory build-in change auditing events categorized under following three policy settings.

  • Audit account management
  • Audit directory service access
  • Audit directory service changes (available only from Win 2008 R2 or later)

Audit account management

The Audit account management events provides the high level auditing of user,computer and group maintenance changes. This policy events also categorized as following ways.

  1. User Account Management
  2. Computer Account Management
  3. Security Group Management
  4. Distribution Group Management
1.User Account Management
The following table document lists the event IDs of the user account management category.

 

Event ID Reason
4720 A user account was created.
4722 A user account was enabled.
4723 An attempt was made to change an account’s password.
4724 An attempt was made to reset an accounts password.
4725 A user account was disabled.
4726 A user account was deleted.
4738 A user account was changed.
4740 A user account was locked out.
4767 A user account was unlocked.
4780 The ACL was set on accounts which are members of administrators groups.
4781 The name of an account was changed.
4794 An attempt was made to set the Directory Services Restore Mode administrator password
5376 Credential Manager credentials were backed up.
5377 Credential Manager credentials were restored from a backup.
2.Computer Account Management

The following table document lists the event IDs of the Computer Account Management category.

Event ID Reason
4741 A computer account was created.
4742 A computer account was changed.
4743 A computer account was deleted.
3.Security Group Management

The following table document lists the event IDs of the Security Group Management category.

Event ID Reason
4727 A security-enabled global group was created.
4728 A member was added to a security-enabled global group.
4729 A member was removed from a security-enabled global group.
4730 A security-enabled global group was deleted.
4731 A security-enabled local group was created.
4732 A member was added to a security-enabled local group.
4733 A member was removed from a security-enabled local group.
4734 A security-enabled local group was deleted.
4735 A security-enabled local group was changed.
4737 A security-enabled global group was changed.
4754 A security-enabled universal group was created.
4755 A security-enabled universal group was changed.
4756 A member was added to a security-enabled universal group.
4757 A member was removed from a security-enabled universal group.
4758 A security-enabled universal group was deleted.
4764 A groups type was changed.
4.Distribution Group Management

The following table document lists the event IDs of the Distribution Group Management category.

Event ID Reason
4744 A security-disabled local group was created.
4745 A security-disabled local group was changed.
4746 A member was added to a security-disabled local group.
4747 A member was removed from a security-disabled local group.
4748 A security-disabled local group was deleted.
4749 A security-disabled global group was created.
4750 A security-disabled global group was changed.
4751 A member was added to a security-disabled global group.
4752 A member was removed from a security-disabled global group.
4753 A security-disabled global group was deleted.
4759 A security-disabled universal group was created.
4760 A security-disabled universal group was changed.
4761 A member was added to a security-disabled universal group.
4762 A member was removed from a security-disabled universal group.
4763 A security-disabled universal group was deleted.
Audit directory service access
Audit directory service access events provides the low-level auditing for all types of objects in AD. Directory service access events not only logs the information of an object that was accessed and by whom but also logs exactly which object properties were accessed.

The following table document lists the event IDs of the Distribution Group Management category.

Event ID Reason
4661 A handle to an object was requested
4662 An operation was performed on an object.
5139 A directory service object was moved.
Directory Service Changes

The events which are comes under this category includes the extra details like Old Value and New Value of the changed properties.This Advanced Audit Policy comes under the subcategory of  Directory Service Access.

The following table document lists the event IDs of the Directory Service Changes subcategory.

Event ID Reason
5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted
5139 A directory service object was moved.
5141 A directory service object was deleted.
Advertisement

Leave a Comment