I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?
Asked
Active
Viewed 9,097 times
2 Answers
4
On Windows Server 2008, it is event ID 5136 (Directory Service Changes). See also event IDs 5137 (create), 5138 (undelete), 5130 (move). Event ID 4662 contains the old-style audit event (see below).
On Windows 2000 Server and Windows Server 2003:
[T]he policy Audit directory service access was the only auditing control available for Active Directory. The events that were generated by this control did not show the old and new values of any modifications. This setting generated audit events in the Security log with the ID number 566. In Windows Server 2008, the audit policy subcategory Directory Service Access still generates the same events, but the event ID number is changed to 4662.
shufler
- 972
- 1
- 6
- 18
-
Unfortunately it's not 2008 ... if I look for Event ID 566 ... the "Object Type" in the message should be {f30e3bc2-9ff0-11d1-b603-0000f80367c1}, right? – Hinek Feb 22 '10 at 10:23
-
Object Type will be something like user or computer. – shufler Feb 22 '10 at 18:18
0
we can see this article http://www.morgantechspace.com/2013/11/Event-ID-5136-AD-Object-Change-Audit-Event.html to know about event ID 5136 .. it explains how to map old value and new value event
Sourav
- 1
-
2Please summarize the article that you linked, quoting any relevant code segments or configuration blocks. Sites can change in the future or fail to load for any number of reasons. – 89c3b1b8-b1ae-11e6-b842-48d705 Nov 27 '13 at 14:02