no event 5136 recorded in DC - Windows Server 2012 R2

Question

I'm using Windows Server 2012 R2 as DC. And I have enable audit policy: Directory Service Changes - Success.

Besides, I also checked dsa.msc -> domain, and set the audit as following selection for Everyone,

This object and all descendand objects:

Write all properties
Modify permissions

But when I modified some attributes of a user, there was no event 5136 recored in Event Viewer. That's why???

Answer 1

Hi,

Start by checking DC health :

dcdiag 
 repadmain /showrepl

Check if the GPO is well applied on domain controllers.

gpresult /h report.html
rsop.msc

Please don't forget to mark helpful reply as answer

Answer 2

To pile on @Thameur-BOURBITA reco to check if the environment is healthy, I would do the following:

1. To check the effective audit policy, don't use gpresult. The only reliable way to determine what is the audit policy applied on a machine is to locally run auditpol /get /category:*. It will show you the effetive policy regarless of where it's getting it from. If you want to run that remotely, there's no longer a parameter in the auditpol tool like we used to have in Windows Server 2003. You will have to run with something like remote PowerShell. The easiest way would just to do it locally on your DC where you make the change.
2. Check if the SACL has been propagated to the object you are trying to modify. If inheritance was disabled on the audit, it is possible your object modification doesn't log anything.
3. Make sure you check on the event logs of the DC against which you do the modification. The event 5136 will only show on the DC where the modification is done. If you do the change from the DSA console, you can see what DC you are connected to on the top left.
4. Allow few seconds of time difference in your search. The event 5136 doesn't show up immediatly. It can take up to few seconds after the change to be logged. So allow some room in the time limits of your search if you use any.
5. Do you also have the User Account Management audit subcategory enabled? Ifso do you see an event 4738 at the time you do your modification? Because this one will show up with or without an entry in the audit tab (just that is doesn't always tell you what has changed in the object as it is only focusing on the SAM attributes). But it would help you spot if you are looking at the right DC.

Also, just to be sure, maybe you can send along some screenshots of your SACL (audit tab) configuration.

Answer 3

Hello @hongku.li

You must still modify the SACL of objects to specify which attributes should be audited.
To access the SACL and its audit entries:

1. In Active Directory Users And Computers, open the Properties dialog box of the object you want to audit.
2. On the Security tab, click Advanced.
3. Click the Auditing tab.

To add an audit entry:

1. Click Add.
2. Select the user, group, or computer to audit. Often this will be the Everyone group.
3. In the Auditing Entry dialog box, indicate the type of access to audit.
   You can audit for successes, failures, or both as the specified user, group, or computer attempts to access the resource using one or more of the granular access levels.

Hope this helps with your query,

--------
--If the reply is helpful, please Upvote and Accept as answer--