Hi,
Start by checking DC health :
dcdiag
repadmain /showrepl
Check if the GPO is well applied on domain controllers.
gpresult /h report.html
rsop.msc
Please don't forget to mark helpful reply as answer
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm using Windows Server 2012 R2 as DC. And I have enable audit policy: Directory Service Changes - Success.
Besides, I also checked dsa.msc -> domain, and set the audit as following selection for Everyone,
This object and all descendand objects:
Write all properties
Modify permissions
But when I modified some attributes of a user, there was no event 5136 recored in Event Viewer. That's why???
Hi,
Start by checking DC health :
dcdiag
repadmain /showrepl
Check if the GPO is well applied on domain controllers.
gpresult /h report.html
rsop.msc
Please don't forget to mark helpful reply as answer
To pile on @Thameur-BOURBITA reco to check if the environment is healthy, I would do the following:
gpresult
. The only reliable way to determine what is the audit policy applied on a machine is to locally run auditpol /get /category:*
. It will show you the effetive policy regarless of where it's getting it from. If you want to run that remotely, there's no longer a parameter in the auditpol
tool like we used to have in Windows Server 2003. You will have to run with something like remote PowerShell. The easiest way would just to do it locally on your DC where you make the change. Also, just to be sure, maybe you can send along some screenshots of your SACL (audit tab) configuration.
Hello @hongku.li
You must still modify the SACL of objects to specify which attributes should be audited.
To access the SACL and its audit entries:
To add an audit entry:
Hope this helps with your query,
--------
--If the reply is helpful, please Upvote and Accept as answer--