Audit Directory Service Changes

Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).

Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.

Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.

This subcategory only logs events on domain controllers.

Event volume: High on domain controllers.

This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No It is important to track actions related to high value or critical Active Directory objects, for example, changes to AdminSDHolder container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at Audit Directory Service Access subcategory.
For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. Also, develop an Active Directory auditing policy (SACL design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server No No No No This subcategory makes sense only on domain controllers.
Workstation No No No No This subcategory makes sense only on domain controllers.

Events List:

  • 5136(S): A directory service object was modified.

  • 5137(S): A directory service object was created.

  • 5138(S): A directory service object was undeleted.

  • 5139(S): A directory service object was moved.

  • 5141(S): A directory service object was deleted.