Event ID 5136 - NT Authority/SYSTEM modified the default domain policy

Ace B 0 Reputation points


I have auditing of GPO changes turned on. While we have password complexity enabled, while being audited it was found to be disabled.

After searching the logs from the GPO modified date, we found that it was the SYSTEM that made the changes. Leaving 2 entries. one for value deleted and one for value added.

This happened one year ago and i thought maybe a team member changed it but they all denied this. So i turned on the auditing and one year later i see the same but now with some evidence.

{"timestamp":"2023-04-19T08:48:24.000Z","hostname":"XXXXX-DC02.xxxxx.int","event_code":"5136","description":"A directory service object was modified.","subject_user_sid":"S-1-5-18","subject_user_name":"SYSTEM","subject_domain_name":"NT AUTHORITY","subject_logon_id":"0x140F99821","ds_name":"akigroup.int","ds_type":"Active Directory Domain Services","object_dn":"CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int","object_guid":"{b3e150ae-0756-4e1d-b6e6-6161742c686b}","object_class":"groupPolicyContainer","attribute_ldap_display_name":"versionNumber","attribute_syntax_oid":"","attribute_value":"1704322","operation_type":"Value Deleted","op_correlation_id":"{7ce28b12-4e95-4aaa-9001-bcb8f34edc0f}","app_correlation_id":"","source_data":"<14>Apr 19 12:48:24 XXXXXX-DC02.xxxxx.int MSWinEventLog\t1\tSecurity\t26311529\tWed Apr 19 12:48:24 2023\t5136\tMicrosoft-Windows-Security-Auditing\tN/A\tN/A\tSuccess Audit\tXXXXXXX.XXXXX.int\tDirectory Service Changes\t\tA directory service object was modified. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x140F99821 Directory Service: Name: xxxxx.int Type: Active Directory Domain Services Object: DN: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=xxxxxxx,DC=int GUID: {b3e150ae-0756-4e1d-b6e6-6161742c686b} Class: groupPolicyContainer Attribute: LDAP Display Name: versionNumber Syntax (OID): Value: 1704322 Operation: Type: Value Deleted Correlation ID: {7ce28b12-4e95-4aaa-9001-bcb8f34edc0f} Application Correlation ID: -\t942257166"}

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,647 questions
Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,141 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,325 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 26,411 Reputation points

    Hello there,

    I suggest you to audit it deeper with procmon to see what is causing these changes.

    For a change operation, you'll typically see two 5136 events for one action, with different Operation\Type fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file

    system, Registry and process/thread activity. You can get the tool from here


    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log

    system activity to the Windows event log.You can get the tool from here


    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments