Event ID for modified GPOs
On Windows Server 2008, it is event ID 5136 (Directory Service Changes). See also event IDs 5137 (create), 5138 (undelete), 5130 (move). Event ID 4662 contains the old-style audit event (see below).
On Windows 2000 Server and Windows Server 2003:
[T]he policy Audit directory service access was the only auditing control available for Active Directory. The events that were generated by this control did not show the old and new values of any modifications. This setting generated audit events in the Security log with the ID number 566. In Windows Server 2008, the audit policy subcategory Directory Service Access still generates the same events, but the event ID number is changed to 4662.
Related videos on Youtube
Hinek
Updated on September 17, 2022Comments
-
Hinek almost 2 years
I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?
-
Hinek over 14 yearsUnfortunately it's not 2008 ... if I look for Event ID 566 ... the "Object Type" in the message should be {f30e3bc2-9ff0-11d1-b603-0000f80367c1}, right?
-
shufler over 14 yearsObject Type will be something like user or computer.
-
89c3b1b8-b1ae-11e6-b842-48d705 over 10 yearsPlease summarize the article that you linked, quoting any relevant code segments or configuration blocks. Sites can change in the future or fail to load for any number of reasons.