ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide

Quest® Change Auditor for Active Directory®
7.1
Event Reference Guide
© 2020 Quest Software Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a
software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the
applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written
permission of Quest Software Inc.
The information in this document is provided in connection with Quest Software products. No license, express or implied, by
estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest
Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE
AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY
EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR
INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS
INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN
IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no
representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the
right to make changes to specifications and product descriptions at any time without notice. Quest Software does not make any
commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software Inc.
Attn: LEGAL Dept.
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our website (https://www.quest.com) for regional and international office information.
Patents
Quest Software is proud of our advanced technology. Patents and pending patents may apply to this product. For the most
current information about applicable patents for this product, please visit our website at https://www.quest.com/legal.
Trademarks
Quest Software, Quest, the Quest logo, and Join the Innovation are trademarks and registered trademarks of Quest Software Inc.
For a complete list of Quest marks, visit https://www.quest.com/legal/trademark-information.aspx. All other trademarks and
registered trademarks are property of their respective owners.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Change Auditor for Active Directory Event Reference Guide

Updated - December 2020
Software Version - 7.1
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Change Auditor for Active Directory Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Active Directory Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Active Directory Federation Services - Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . 7
Active Directory Federation Services - Sign-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Active Directory Federation Services - Relying Party Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Configuration Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Connection Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Custom AD Object Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Custom Computer Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Custom Group Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Custom User Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
DNS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
DNS Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Dynamic Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Forest Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
FRS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Group Policy Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Group Policy Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
IP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
NETLOGON Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
NTDS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Organizational Unit (OU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Replication Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Schema Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Site Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Site Link Bridge Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Site Link Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
SYSVOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Log Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
InTrust for AD event log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
InTrust for ADAM event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
About us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Our brand, our vision. Together. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Contacting Quest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Technical support resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Quest Change Auditor for Active Directory 7.1 Event Reference Guide
3
Contents
1
Introduction
Change Auditor for Active Directory drives the security and control of Microsoft Active Directory by proactively
tracking vital Active Directory configuration changes in real time. From GPO and Schema to critical group and
operational changes, Change Auditor for Active Directory tracks, audits, reports, and alerts on changes that impact
your directory — without the overhead costs of native auditing.
You can also track, audit, and report on Azure Active Directory changes. For more information, see the Change
Auditor for Office 365 and Azure Active Directory Auditing User Guide.
In addition to real-time event auditing, you can enable event logging to capture Active Directory or ADAM (AD
LDS) events locally in a Windows event log. These event logs can then be collected using InTrust to satisfy long-
term storage requirements.
NOTE: Active Directory and ADAM (AD LDS) auditing and event logging are only available when you have
licensed Change Auditor for Active Directory. Contact your Sales Representative for more information
about obtaining Change Auditor for Active Directory.
This guide lists the events that can be captured by Change Auditor for Active Directory. Separate event reference
guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the
events captured when the different auditing modules are licensed.
4
Introduction
2
Change Auditor for Active Directory
Events
This section lists the audited events specific to Change Auditor for Active Directory and each event’s
corresponding severity setting. Audited events are listed in alphabetical order by facility:
• Active Directory Database
• Active Directory Federation Services - Authentication Methods
• Active Directory Federation Services - Sign-in
• Active Directory Federation Services - Relying Party Trusts
• Dynamic Access Control
• Connection Object
• Custom AD Object Monitoring
• Custom Computer Monitoring
• Custom Group Monitoring
• Custom User Monitoring
• DNS Service
• DNS Zone
• Domain Configuration
• Dynamic Access Control
• Forest Configuration
• FRS Service
• Group Policy Item
• Group Policy Object
• IP Security
• NETLOGON Service
• NTDS Service
• Organizational Unit (OU)
• Replication Transport
• Schema Configuration
• Site Configuration
• Site Link Bridge Configuration
• Site Link Configuration
• Subnets
5
Events
• SYSVOL
NOTE: To view a complete list of all the Change Auditor for Active Directory events, open the Audit Events
page on the Administration Tasks tab in the Change Auditor client. This page contains a list of all the events
available for auditing by Change Auditor for Active Directory. It also displays the facility to which the event
belongs, the severity assigned to each event, if the event is enabled or disabled, and the type of Change
Auditor for Active Directory license that is required to capture each event.
IMPORTANT: When expecting large numbers of events, it may be necessary to increase the Max Events per
Connection setting in the Change Auditor client (Agent Configuration on the Administration Tasks tab) to
avoid an ever-increasing backlog of events waiting to be sent from the agent to the coordinator database.
Active Directory Database

Table 1. Active Directory Database events
Event Description Severity

Active Directory database file access Created when access to the NTDS.dit file has been High
rights changed changed through Access Control Settings.
Active Directory database file accessed Created when the NTDS.dit file has been accessed. High
Active Directory database file attribute Created when NTDS.dit file attributes have been High
changed changed.
Active Directory database file auditing Created when changes are made to the NTDS.dit High
changed auditing list on the domain controller.
Active Directory database file central Created when the NTDS.dit file central access policy is High
access policy changed changed on the domain controller.
Active Directory database file Created when the NTDS.dit file classification is High
classification changed changed on the domain controller.
Active Directory database file created Created when the NTDS.dit file is created on a domain High
controller.
Active Directory database file deleted Created when the NTDS.dit file is deleted on a domain High
controller.
Active Directory database file last write Created when the contents of the NTDS.dit file are High
changed written on a domain controller.
Active Directory database file moved Created when the NTDS.dit file is moved on a domain High
controller.
Active Directory database file ownership Created when ownership of the NTDS.dit file has been High
changed changed.
Active Directory database file renamed Created when the NTDS.dit file is renamed on a domain High
controller.
Failed Active Directory database access Created when access attempt fails on the NTDS.dit file High
(Change Auditor Protection) due to Change Auditor protection.
(NTFS permissions) due to NTFS permission.
(Sharing violation) due to sharing violation.
6
Events
Active Directory Federation Services -
Authentication Methods
Table 2. Active Directory Federation Services - Authentication Methods events

Additional authentication methods Created when authentication methods are changed. Medium
changed
Additional authentication method Created when authentication methods are registered. Medium
registered
Additional authentication method Created when authentication methods are unregistered. Medium
unregistered
Allow additional authentication providers Created when additional authentication providers as Medium
as primary setting changed primary setting is changed.
Extranet authentication methods changed Created when extranet authentication methods are Medium
changed.
Intranet authentication methods changed Created when intranet authentication methods are Medium
changed.

Sign-in
Table 3. Active Directory Federation Services - Sign-in events

Failed Active Directory Federation Created when a user fails to sign in using Active Medium
Services sign-in Directory Federation Services.
Successful Active Directory Federation Created when a user successfully signs in using Active Low
Services sign-in Directory Federation Services.

Relying Party Trusts
Table 4. Active Directory Federation Services - Relying Party Trusts

Relying Party Trust added Created when a relying party trust is added. Medium
Relying Party Trust changed Created when a relying party trust is changed. Medium
Relying Party Trust deleted Created when a relying party trust is deleted. Medium
Relying Party Trust disabled Created when a relying party trust is disabled. Medium
Relying Party Trust enabled Created when a relying party trust is enabled. Medium
7
Events
Configuration Monitoring
Table 5. Configuration Monitoring events

Active Directory Share Added Created when an Active Directory share has been Medium
added to a server.
Active Directory Share Removed Created when an Active Directory share has been High
removed from a server.
Append Parent Suffixes Option Changed Created when the append parent suffixes of the primary Medium
DNS suffix option is changed.
Application Partition Replica Added Created when a DN for an application partition is added Medium
to the msDS-hasMasterNCs attribute of an nTDSDSA
object.
Application Partition Replica Removed Created when a DN for an application partition is High
removed from the msDS-hasMasterNCs attribute of an
nTDSDSA object.
Connection DNS Registration Option Created when the register connection in DNS option on Medium
Changed a network connection is changed.
Connection Object Added Created when an nTDSConnection object is added to Medium
the NTDS Settings container.
Connection Object Removed Created when an nTDSConnection object is removed Medium
from the NTDS Settings container.
Connection-specific DNS Suffix Changed Created when the connection-specific DNS suffix Medium
changes.
Contents of DNS Server List Changed Created when a DNS server is added or removed from Medium
the DNS server list.
Contents of DNS Suffix List Changed Created when a suffix is added or removed from the Medium
DNS suffix list.
Contents of WINS Server List Changed Created when a server is added or removed from the Medium
WINS server list.
Critical Link Failures Allowed Parameter Created when the CriticalLinkFailuresAllowed Medium
Changed parameter on a DC is changed.
Default Gateway Changed Created when the default gateway changes on a Low
network connection.
DHCP Disabled Created when DHCP is disabled on a network Low
connection.
DHCP Enabled Created when DHCP is enabled on a network Low
connection.
DIT Location Changed Created when the directory path of the DIT is changed. Low
Domain Controller Added as Preferred Created when a domain controller is configured as a Medium
Bridgehead Server preferred bridgehead server for a particular replication
transport.
Domain Controller Moved to Another OU Created when a domain controller is moved to another Medium
OU.
Domain Controller Removed as Preferred Created when a domain controller is removed as a Medium
Bridgehead Server preferred bridgehead server for a particular replication
transport.
Domain Controller Service Pack Applied Created when a service pack is applied to a domain Medium
controller.
Domain Controller Service Pack Rolled Created when a service pack is removed from a domain Medium
Back controller.
8
Events

DS Database Logging and Recover Created when the logging and recovery option of Active Low
Option Changed Directory is changed.
DS Hierarchy Table Evaluation Interval Created when the hierarchy table evaluation interval on Medium
Changed the DC is changed.
DS Log File Location Changed Created when the directory path of the DS log file is Low
changed.
Hotfix Applied Created when a hot fix is applied. Medium
Hotfix Rolled Back Created when a hot fix is removed. (Disabled by Medium
Default)
Intersite Failures Allowed Parameter Created when the IntersiteFailuresAllowed parameter is Medium
Changed changed on a DC.
IP Deny List Entry Added Created when an entry is added to the IP deny list of an Medium
LDAP query policy object.
IP Deny List Entry Removed Created when an entry is removed from the IP deny list Low
of an LDAP query policy object.
IPSEC Settings Changed Created when the IPSEC settings for a network Medium
connection are changed.
KCC Delay After Startup Changed Created when the amount of time the KCC delays after Medium
startup before re-computing the replication topology is
changed.
KCC Site Generator Failover Interval Created when the interval after which a new Intersite Medium
Changed Topology Generator (ISTG) is nominated if no ISTG
identity is updated in the directory is changed.
KCC Site Generator Renewal Interval Created when the interval at which the Intersite Medium
Changed Topology Generator (ISTG) publishes its identity in the
directory is changed.
KCC Update Interval Changed Created when the interval at which the KCC on the Medium
domain controller runs is changed.
Kerberos Diagnostic Log Level Changed Created when the diagnostic log level for the Kerberos Medium
service is changed.
Linked Query Policy for Domain Controller Created when the lDAPAdminLimits attribute of a query Low
Changed policy object referred to by the querypolicyObject
attribute of the nTDSDSA object for the domain
controller was changed.
Max Failure Time for Intersite Link Created when the MaxFailureTimeForIntersiteLink Medium
Parameter Changed value is changed on a domain controller.
Max Failure Time for Non-critical Link Created when the Maximum Failure Time value for non- Medium
Parameter Changed critical links is changed on a domain controller.
MaxFailureTimeForCritical Link Parameter Created when the MaxFailureTimeForCriticalLink Medium
Changed parameter is changed on a domain controller.
Maximum Number of DS Threads Created when the number of threads used by the DS Medium
Changed service is changed.
NetBIOS Setting Changed Created when the NETBIOS setting on a network Medium
connection is changed.
NIC Added Created when a NIC is added to the host computer. Low
NIC Disabled Created when a NIC is disabled on the host computer. Medium
NIC Enabled Created when a NIC is enabled on the host computer. Medium
NIC Removed Created when a NIC is removed from the host Low
computer.
9
Events

Non-critical Link Failures Allowed Flag Created when the Non-critical Link Failures value is Low
Changed changed on a domain controller.
Preferred Bridgehead Setting Changed Created when the bridgeheadTransportList attribute of Medium
a server is changed.
Processor Speed Changed Created when the processor speed of the DC is Low
changed.
Query Policy Link for Domain Controller Created when the queryPolicyObject attribute of the Low
Changed nTDSDSA is changed.
Query Policy Setting Changed Created when query policy settings of an existing query Low
policy object have changed.
Raw IP Allowed Protocols List Changed Created when the contents of the Raw IP Allowed Medium
Protocols list are changed.
Replicator Notify Pause After Modify Created when the notify pause value is changed on a Medium
Delay Changed domain controller.
Schema Modifications Allowed Flag Created when a domain controller is configured to allow High
Changed schema modifications.
Static IP Address Changed Created when the static IP address changes on a Low
network connection.
Subnet Mask Changed Created when the subnet mask changes on a network Low
connection.
SYSVOL Location Changed Created when the SYSVOL location is changed on a Low
domain controller.
TCP Allowed Port List Changed Created when the contents of the TCP Allowed Port list Medium
are changed.
TCP/IP Filtering Changed Created when the TCP/IP Filtering option is changed on Medium
a network connection.
UDP Allowed Port List Changed Created when the contents of the UDP Allowed Port list Medium
are changed.
Update DNS on All Adapters Setting Created when Active Directory’s setting that controls Medium
Changed the adapters on which a DC updates DNS is changed.
Use Connection Suffix in DNS Created when the use this connection’s DNS suffix in Medium
Registration Option Changed DNS registration option is changed.
Use LMHOSTS Option Changed Created when the LMHOSTS option on a network Low
connection is changed.
Use of Dynamic DNS Changed Created when Active Directory’s use of dynamic DNS Medium
has been changed.
Use Primary and Connection Specific Created when the primary and connection-specific Medium
Suffixes Flag Changed suffixes flag changes on a domain controller.
10
Events
Connection Object
Table 6. Connection Object events

Connection Object From-server Changed Created when the from-server of a connection object is Medium
changed.
Connection Object Schedule Changed Created when a change is detected in the schedule Medium
attribute of a connection object.
Connection Object Transport Changed Created when the transport type of a connection object Medium
is changed.
Custom AD Object Monitoring

Table 7. Custom AD Object Monitoring events

<Object> <Attribute> Changed Created when an attribute changes on an object that the user Medium
has opted to audit using the Active Directory Attribute Auditing
page on the Administration Tasks tab in the Change Auditor
client.
NOTE: Starting with Change Auditor 5.6, the attributes that can
be set using the User Properties dialog in Active Directory
Users and Computers (ADUC) are audited by default. If you
have added custom attribute auditing for any of these
attributes, you receive two events when changes to these user
attributes are made:
• A Custom User Monitoring event for the built-in user
attribute event.
• A Custom AD Object Monitoring event for the custom
attribute event (user attribute specified on Active
Directory Attribute Auditing page).
To eliminate duplicate events, you can remove the user
attribute from the Active Directory Attribute Auditing page
which prevents the custom attribute event from being
generated.
Computer Changed Created when an object is added, moved, removed, or Medium
renamed in a computer object.
Group Changed Created when an object is added, moved, removed, or Medium
renamed in a group object.
User Changed Created when an object is added, moved, removed, or Medium
renamed in a user object.
Custom Computer Monitoring

Table 8. Custom Computer Monitoring events

Computer Account Disabled Created when the computer account is disabled. Medium
Computer Account Enabled Created when the computer account is enabled. Medium
11
Events
Table 8. Custom Computer Monitoring events

Computer Added Created when a computer account object is added to Medium
the domain.
Computer Moved Created when a computer account object is moved Medium
within the domain.
Computer Removed Created when a computer account object is removed Medium
from the domain.
Computer Renamed Created when a computer account object is renamed. Medium
Computer Service Pack Applied Created when a service pack is applied to the Medium
computer.
Computer Service Pack Rolled Back Created when a service pack is uninstalled from the Medium
computer.
DACL Changed on Computer Object Created when the DACL is changed for the computer Medium
object.
NOTE: Change Auditor access control list (ACL) events
(discretionary access control list (DACL) and system
access control list (SACL) changes), will not report
inherited access control entry (ACE) changes. This
event does NOT report inherited ACL changes.
Dynamic Computer Object Added Created when a dynamic computer object is added to a Medium
container.
Dynamic Computer Object Changed Created when a dynamic computer object is modified. Medium
Dynamic Computer Object Removed Created when a dynamic computer object is removed Medium
from a container.
Owner Changed on Computer Object Created when the owner of a computer object is Medium
changed.
Custom Group Monitoring

Table 9. Custom Group Monitoring events
DACL Changed on Group Object Created when the DACL is changed for the group High
object.
access control list (SACL) changes), do not report
event does not report inherited ACL changes.
Dynamic Group Object Added Created when a dynamic group object is added to a Medium
container.
Dynamic Group Object Changed Created when a dynamic group object is modified. Medium
Dynamic Group Object Removed Created when a dynamic group object is removed from Medium
a container.
Group Member-Of Added Created when a group is added to another group. Medium
Group Member-Of Removed Created when a group is removed from another group. Medium
Group Object Added Created when a new group is added to a container. Medium
Group Object Moved Created when a group is moved to or from a container. Medium
Group Object Removed Created when a group is removed from a container. Medium
12
Events
Table 9. Custom Group Monitoring events

Group Renamed Created when a group is renamed. Medium
Group samAccountName Changed Created when the samAccountName attribute for a Medium
group is changed.
Group Type Changed Created when the group type for a group is changed. Medium
Member Added to Group Created when a new member is added to a group. Medium
Member Removed from Group Created when a member is removed from a group. Medium
Nested Member Added to Group Created when a member is added to a nested group Medium
within a monitored group.
Nested Member Removed from Group Created when a member is removed from a nested Medium
group within a monitored group.
Owner Changed on Group Object Created when the owner of a group object is changed. Medium
Custom User Monitoring

Table 10. Custom User Monitoring events

Active Session Limit Changed for User Created when the Active session limit setting is Medium
Object changed in the Sessions settings for a user object in the
Active Directory Users and Computers administrative
tool.
Allow Reconnection Changed for User Created when the Allow reconnection option is changed Medium
Object in the Sessions settings for a user object in the Active
Directory Users and Computers administrative tool.
City Changed on User Object Created when the City field is changed in the Address Medium
settings for a user object in the Active Directory Users
and Computers administrative tool.
Company Changed for User Object Created when the Company field is changed in the Medium
Organization settings for a user object in the Active
Connect Client Drives at Logon Changed Created when the Connect Client Drives at Logon Medium
for User Object option is changed in the Environment settings for a user
object in the Active Directory Users and Computers
administrative tool.
Connect Client Printers at Logon Changed Created when the Connect Client Printers at Logon Medium
for User Object option is changed in the Environment settings for a user
Country/Region Changed on User Object Created when the Country/Region field is changed in Medium
the Address settings for a user object in the Active
DACL Changed on User Object Created when the DACL is changed for a user object. High
access control list (SACL) changes), do not report
event does not report inherited ACL changes.
13
Events

Default to Main Client Printer Changed for Created when the Default to Main Client Printer at Medium
User Object Logon option is changed in the Environment settings for
a user object in the Active Directory Users and
Computers administrative tool.
Delegation Authentication Protocol Created when the Delegation protocol is changed in the Medium
Changed for User Object Delegation settings for a user object in the Active
NOTE: The Delegation settings tab only appears when
the AD User and Computers ‘Advanced Features’
option is enabled, and only on accounts with registered
SPNs in domains with Windows Server® 2003 (or
higher) Functional Level.
Department Changed for User Object Created when the Department field is changed in the Medium
Description Changed on User Object Created when the Description field is changed in the Medium
General settings for a user object in the Active Directory
Users and Computers administrative tool.
Direct Report Added to User Object Created when the user is added as the ‘Manager’ in the Medium
Organization settings for another user object in the
tool.
Direct Report Removed from User Object Created when the user is removed as the ‘Manager’ in Medium
the Organization settings for another user object in the
tool.
Display Name Changed on User Object Created when the Display Name field is changed in the Medium
Domain User Renamed Created when a user’s domain user name is changed. Medium
Dynamic User Object Added Created when a dynamic user object is added to a Medium
container.
Dynamic User Object Changed Created when a dynamic user object is modified. Medium
Dynamic User Object Removed Created when a dynamic user object is removed from a Medium
container.
Enable Remote Control Changed for User Created when the Enable remote control option is Medium
Object changed in the Remote Control settings for a user
End a Disconnected Session Changed for Created when the End a disconnected session setting Medium
User Object is changed in the Sessions settings for a user object in
the Active Directory Users and Computers
Fax Number Changed on User Object Created when the Fax field is changed in the Telephone Medium
First Name Changed on User Object Created when the First Name field is changed in the Medium
14
Events

Home Folder Changed on User Object Created when the contents of either of the Home Folder Medium
fields (local or connect) are changed in the Profile
settings for user in the Active Directory Users and
Computers.
Home Folder Mapped Drive Changed on Created when the Home Folder: Connect mapped drive Medium
User Object field is changed in the Profile settings for a user in
Active Directory Users and Computers.
Home Telephone Number Changed on Created when the Home field is changed in the Medium
User Object Telephone settings for a user object in the Active
Idle Session Limit Changed for User Created when the Idle session limit setting is changed Medium
Object in the Sessions settings for a user object in the Active
Initials Changed on User Object Created when the Initials field is changed in the General Medium
IP Phone Number Changed on User Created when the IP Phone field is changed in the Medium
Object Telephone settings for a user object in the Active
Last Name Changed on User Object Created when the Last Name field is changed in the Medium
Level of Control Changed on User Object Created when the Level of control option is changed in Medium
the Remote Control settings for a user object in the
tool.
Logon Script Changed on User Object Created when the Logon Script field is changed in the Medium
Profile settings for a user object in the Active Directory
Manager Changed for User Object Created when the Manager field is changed in the Medium
Mobile Number Changed on User Object Created when the Mobile field is changed in the Medium
Telephone settings for a user object in the Active
Office Changed on User Object Created when the Office field is changed in the General Medium
Other Fax Number Added to User Object Created when a number is added to the Fax: Other list Medium
in the Telephone settings for a user object in the Active
Other Fax Number Removed from User Created when a number is removed from the Fax: Medium
Object Other list in the Telephone settings for a user object in
Other Home Telephone Number Added to Created when a number is added to the Home: Other Medium
User Object list in the Telephone settings for a user object in the
tool.
15
Events

Other Home Telephone Number Removed Created when a number is removed from the Home: Medium
from User Object Other list in the Telephone settings for a user object in
Other IP Phone Number Added to User Created when a number is added to the IP Phone: Medium
Other IP Phone Number Removed from Created when a number is removed from the IP Phone: Medium
User Object Other list in the Telephone settings for a user object in
Other Mobile Number Added to User Created when a number is added to the Mobile: Other Medium
Object list in the Telephone settings for a user object in the
tool.
Other Mobile Number Removed from User Created when a number is removed from the Mobile: Medium
Other Pager Number Added to User Created when a number is added to the Pager: Other Medium
Object list in the Telephone settings for a user object in the
tool.
Other Pager Number Removed from User Created when a number is removed from the Pager: Medium
Other Telephone Number Added to User Created when a number is added to the Telephone Medium
Object Number: Other list in the General settings for a user
Other Telephone Number Removed from Created when a number is removed from the Telephone Medium
User Object Number: Other list in the General settings for a user
Other Web Page Added to User Object Created when a web page is added to the Web Page: Medium
Other list in the General settings for a user object in the
tool.
Other Web Page Removed from User Created when a web page is removed from the Web Medium
Object Page: Other list in the General settings for a user object
in the Active Directory Users and Computers
Owner Changed on User Object Created when the owner of a user object is changed. Medium
P.O. Box Changed on User Object Created when the P.O. Box field is changed in the Medium
Address settings for a user object in the Active
Pager Number Changed on User Object Created when the Pager field is changed in the Medium
16
Events

Partition Set Changed for User Object Created when the Partition set setting is changed in the Medium
COM+ settings for a user object in the Active Directory
Primary Group ID Changed for User Created when the Primary group setting is changed in Medium
Object the Member Of settings for a user object in the Active
NOTE: This setting is only available when a global or
universal security group in the user’s domain, different
than the current primary group, is selected in the
Member Of list.
Profile Path Changed on User Object Created when the Profile Path field is changed in the Medium
Profile settings for a user object in the Active Directory
Published Certificate Added to User Created when a certificate is added to the List of X509 Medium
Object certificates published for the user account field in the
Published Certificate settings for a user in Active
Directory User and Computers.
Published Certificate Removed from User Created when a certificate is removed from the List of Medium
Object X509 certificates published for the user account field in
the Published Certificate settings for a user in the Active
Directory User and Computers administrative tool.
Require User’s Permission Changed for Created when the Require user’s permission option is Medium
User Object changed in the Remote Control settings for a user
Service Added to Delegation List of User Created when a service is added to the Services list in Medium
Object the Delegation settings for a user object in the Active
SPNs in domains with Windows Server 2003 (or higher)
Functional Level.
Service Removed from Delegation List of Created when a service is removed from the Services Medium
User Object list in the Delegation settings for a user object in the
tool.
SPNs in domains with Windows Server 2003 (or higher)
Functional Level.
Starting Directory Changed for User Created when the Start In field is changed in the Medium
Object Environment settings for a user object in the Active
Starting Program Changed for User Object Created when the Program File Name field is changed Medium
in the Environment settings for a user object in the
tool.
State/Province Changed on User Object Created when the State/Province field is changed in the Medium
Address settings for a user object in the Active
17
Events

Street Address Changed on User Object Created when the Street field is changed in the Address Medium
Telephone Notes Changed on User Object Created when the Notes field is changed in the Medium
Telephone Number Changed on User Created when the Telephone number field is changed in Medium
Object the General settings for a user object in the Active
Terminal Services Home Folder Drive Created when the Terminal Services home folder drive Medium
Changed is changed in the Terminal Services Profile settings for
an Active Directory® user object.
Terminal Services Home Folder Path Created when the Terminal Services home folder path Medium
an Active Directory user object.
Terminal Services Home Folder Type Created when the Terminal Services home folder type Medium
an Active Directory user object.
Terminal Services Logon Permission Created when the Deny this user permission to log on Medium
Changed to any Terminal Server option is changed in the
Terminal Services Profile settings for an Active
Directory® user object.
Terminal Services User Profile Path Created when the Terminal Services user profile path is Medium
Changed changed in the Terminal Services Profile settings for an
Active Directory user object.
Title Changed for User Object Created when the Title field is changed in the Medium
User Account Disabled Created when a user account is disabled. Medium
User Account Enabled Created by default when a user account is enabled, Medium
including when the account is created.
User Account is Sensitive and Cannot be Created when the User Account is Sensitive and Medium
Delegated Option Changed Cannot be Delegated option is changed on the user
object account options.
User Account is Trusted for Delegation Created when the User Account is Trusted for Medium
Option Changed Delegation option is changed on the user object
account options.
User Account Locked Created when a user’s account is locked. Medium
User Account Re-enabled Created when an existing user account is enabled after Medium
having been disabled. (Disabled by default)
NOTE: This event is intended for users that prefer to
turn off the ‘User Account Enabled’ event so it is not
generated when a user account is created.
User Account Type Changed Created when a user object account option is changed. Medium
User Account Unlocked Created when a user’s account is unlocked. Medium
User accountExpires Changed Created when the accountExpires attribute for a user Medium
object is changed.
User Dial-in Callback Options Changed Created when the user Dial-In callback options user Medium
attribute has changed.
18
Events

User Dial-in Remote Access Permission Created when the Dial-in Remote Access Permission Medium
Changed attribute for the user object has changed.
User Dial-in Static IP Address Changed Created when User Dial-in Static Address user attribute Medium
has changed.
User Dial-in Static Route Added Created when the User Dial-in Static Route added Medium
attribute has been changed
User Dial-in Static Route Removed Created when the User Dial-in Static Route removed Medium
attribute has been changed.
User Dial-in Verify Caller-ID Changed Created when the user Dial-in verify caller-ID user Medium
attribute has been changed.
User Do Not Require Kerberos Created when the User Do Not Require Kerberos Medium
Preauthentication Option Changed Preauthentication option is changed on the user object
account options.
User logonHours Changed Created when the logonHours attribute for a user object Medium
is changed.
User Member-Of Added Created when a user is added to a group. Medium
User Member-Of Removed Created when a user is removed from a group. Medium
User Must Change Password at Next Created when the User Must Change Password at the Medium
Logon Option Changed Next Logon option is changed in the Account settings
for a user object in the Active Directory Users and
Computers administrative tool.
User Object Added Created when a user is added to a container. Medium
User Object Moved Created when a user is moved to or from a container. Medium
User Object Removed Created when a user is removed from a container. Medium
User Password Changed Created when a user’s password is changed. Medium
User Password Changed by Non-owner Created when a user’s password is changed by Medium
someone other than the account owner.
User Password Never Expires Option Created when the Password Never Expires option is Medium
Changed changed on the user object account options.
User samAccountName Changed Created when the User log on name (pre-Windows® Medium
2000) field (sAMAccountname attribute) is changed in
the Account settings for a user object in the Active
User Smart Card is Required for Created when the User Smart Card is Required for Medium
Interactive Logon Option Changed Interactive Logon option is changed on the user object
account options.
User Store Password Using Reversible Created when the User Store Password Using Medium
Encryption Option Changed Reversible Encryption option is changed on the user
object account options.
User Use DES Encryption Types for This Created when the User Use DES Encryption Types for Medium
Account Option Changed this Account option is changed on the user object
account options.
User userPrincipalName Changed Created when the userPrincipalName attribute for a Medium
user object is changed.
User userWorkstations Added Created when a computer is added to the Medium
userWorkstations attribute of a user object.
User userWorkstations Removed Created when a computer is removed from the Medium
userWorkstations attribute of a user object.
19
Events

User's ability to update their password has Created when the user’s ability to update their High
changed password has changed.
User's home folder requirement has Created when the UserAccountControl attribute Medium
changed property flag (ADS_UF_HOMEDIR_REQUIRED) has
changed. This flag determines whether a user must
have a home folder. This value can be set to:
• Required
• Not required
User's requirement for a password has Created when the UserAccountControl attribute High
changed property flag (ADS_UF_PASSWD_NOTREQD) has
changed. This flag determines whether a user must
have a password. This value can be set to:
• Required
• Not required
Web Page Changed on User Object Created when the Web Page field is changed in the Medium
When Session Limit is Reached Changed Created when the When a session limit is reached or Medium
for User Object connection is broken option is changed for a user object
in the Active Directory Users and Computers
Zip/Postal Code Changed on User Object Created when the Zip/Postal Code field is changed in Medium
the Address settings for a user object in the Active
DNS Service
Table 11. DNS Service events

Address Answer Limit Changed Created when the Answer section address limit of the Medium
DNS service is changed.
AutoConfigFileZones Setting Changed Created when the Automatic Configuration of Standard Medium
Primary Zones setting of the DNS service is changed.
BIND Secondaries Flag Changed Created when the Bind secondaries setting of the DNS Medium
server is changed.
Database Directory Setting Changed Created when the Database Directory setting of the Medium
Default Aging State Setting Changed Created when the Default Aging State of the DNS Medium
service is changed.
Disable Auto Reverse Zones Setting Created when the Disable Auto Reverse Zones setting Medium
Changed of the DNS service is changed.
DisableNSRecordsAutoCreation Created when the DisableNSRecordsAutoCreation Medium
registry entry is added, removed, or changed.
DNS Service Added Created when a DNS service is added to a domain Medium
controller.
DNS Service Removed Created when a DNS service is removed from a Medium
domain controller.
20
Events

Enable Netmask Ordering Flag Changed Created when the Netmask ordering setting of the DNS Medium
server is changed.
Enable Scavenging of Stale Resource Created when the Automatic scavenging of stale Medium
Record Setting Changed resource records setting of the DNS server is changed.
Event Log Level Changed Created when the Event Log Level setting of the DNS Medium
service is changed.
Fail On Load Flag Changed Created when the Fail on load if bad zone data setting Medium
of the DNS server is changed.
Forward Delegations Setting Changed Created when the Forward Delegations setting of the Medium
Forwarder Timeout Changed Created when the Number of seconds before forward Medium
queries time out setting of the DNS server is changed.
Forwarders List Changed Created whenever an entry is added or removed from Medium
the Forwarders list.
IsSlave Setting Changed Created when the IsSlave setting of the DNS service is Medium
changed.
Listen-on Interfaces Changed Created whenever an entry is added or removed from Medium
the listen on interfaces list.
Log File Path Changed Created when the Log File Path of the DNS service is Low
changed.
LogFileMaxSize Setting Changed Created when the LogFileMaxSize setting of the DNS Low
service is changed.
Loose Wildcarding Setting Changed Created when the Loose Wildcarding setting of the Medium
Max Cache TTL Setting Changed Created when the Max Cache TTL setting of the DNS Medium
service is changed.
Name Checking Option Changed Created when the name checking option of the DNS Medium
server is changed.
No-refresh Interval Changed Created when the No-refresh interval setting of the Medium
DNS server is changed.
Publish Addresses List Changed Created when the Publish Addresses list of the DNS Medium
service is changed.
Publish Autonet Setting Changed Created when the Publish Autonet setting of the DNS Medium
service is changed.
Recursion Flag Changed Created when the Disable recursion setting of the DNS Medium
server is changed.
Recursion Retry Setting Changed Created when the Recursion Retry setting of the DNS Medium
service is changed.
Recursion Timeout Setting Changed Created when the Recursion Timeout setting of the Medium
Refresh Interval Changed Created when the Refresh interval setting of the DNS Medium
server is changed.
Round-robin Flag Changed Created when the Enable round robin setting of the Medium
DNS server is changed.
RPC Protocol Setting Changed Created when the RPC Protocol setting of the DNS Medium
service is changed.
Scavenging Period Changed Created when the scavenging period setting of the DNS Medium
server is changed.
21
Events

Secure Cache Against Pollution Flag Created when the Secure cache against pollution Medium
Changed setting of the DNS server is changed.
Send Port Setting Changed Created when the Send Port setting of the DNS service Medium
is changed.
Service Log Level Changed Created when the diagnostic log level for a DNS Medium
service is changed.
Transfer Connect Timeout Setting Created when the Transfer Connect Timeout setting of Medium
Changed the DNS service is changed.
Update Options Setting Changed Created when the Update Options setting of the DNS Medium
service is changed.
WriteAuthorityNS Setting Changed Created when the WriteAuthorityNS setting of the DNS Medium
service is changed.
Zone Added Created when a new zone is added. Medium
Zone Deleted Created when a zone is deleted. Medium
Zone Load Mode Changed Created when the Load zone data on startup setting of Medium
the DNS server is changed.
DNS Zone
Table 12. DNS Zone events

Aging No-refresh Interval Changed Created when the aging no-refresh interval of the zone Medium
is changed.
Aging Refresh Interval Changed Created when the aging refresh interval of the zone is Medium
changed.
DNS AAAA Record Added Created when the DNS host (AAAA) record is added to Low
a zone. (Disabled by default)
NOTE: This event is captured for Active Directory®
integrated DNS zones only.
DNS AAAA Record Modified Created when the DNS host (AAAA) record in a zone is Low
modified. (Disabled by default)
NOTE: This event is captured for Active Directory
DNS AAAA Record Removed Created when the DNS host (AAAA) record is removed Low
from a zone. (Disabled by default)
DNS A Record Added Created when the DNS host (A) record is added to a Low
zone. (Disabled by default)
DNS A Record Modified Created when the DNS host (A) record in a zone is Low
modified. (Disabled by default)
22
Events

DNS A Record Removed Created when the DNS host (A) record is removed from Low
a zone. (Disabled by default)
DNS CNAME Record Added Created when the DNS CNAME (Alias) record is added Low
to a zone.
DNS CNAME Record Removed Created when the DNS CNAME (Alias) record is Low
removed from a zone.
DNS MX Record Added Created when the DNS MX (Mail Exchange) record is Low
added to a zone.
DNS MX Record Removed Created when the DNS MX (Mail Exchange) record is Low
DNS PTR Record Added Created when the DNS PTR (Pointer) record is added Low
to a zone. (Disabled by default)
DNS PTR Record Removed Created when the DNS PTR (Pointer) record is Low
removed from a zone. (Disabled by default)
DNS SRV Record Added Created when the DNS SRV (Service Locator) record is Low
added to a zone.
DNS SRV Record Removed Created when the DNS SRV (Service Locator) record is Low
Expires After Period Changed Created when the expires-after period has changed in Medium
the zone.
Disabled by default.
Name Server Added Created when a name server is added to the zone. Medium
Name Server Removed Created when a name server is removed from the zone. Medium
Primary Server Changed Created when the primary server in the SOA has Medium
changed in the zone.
Retry Interval Changed Created when the retry interval has changed in the Medium
zone.
23
Events

WINS Forwarding Flag Disabled Created when WINS forwarding flag is disabled in the Low
zone.
WINS Forwarding Flag Enabled Created when WINS forwarding flag is enabled in the Low
zone.
WINS Forwarding Host List Changed Created when the WINS forwarding host list has Low
changed in the zone.
Zone Allow Dynamic Updates Flag Created when the allow dynamic updates flag is Medium
Changed changed in the zone.
Zone Default TTL Changed Created when the default TTL has changed in the zone. Medium
Zone Delegation Added Created when a zone is delegated. Medium
Zone Delegation Removed Created when a zone delegation is removed. Medium
Zone Refresh Interval Changed Created when the refresh interval has changed in the Medium
zone.
Zone Replication Scope Changed Created when the zone replication scope is changed. Medium
Zone Scavenging Flag Changed Created when scavenging is enabled or disabled in the Medium
zone.
Zone Storage Changed Created when the zone storage is changed. Medium
Zone Transfer Flag Changed Created when the zone transfer flag of the zone is Medium
changed.
Zone Transfer Host List Changed Created when the zone transfer host list of the zone is Medium
changed.
Zone Type Changed Created when the zone type is changed. Medium
Domain Configuration
Table 13. Domain Configuration events

Allowed DNS Suffix List Changed for Created when a new value is added to or removed from Medium
Domain the list of allowed DNS suffixes for a domain.
DACL Changed on AdminSDHolder Created when the DACL is changed for an object High
Object located at CN=AdminSDHolder,CN=System,
DC=<Domain Name>.
24
Events
Table 13. Domain Configuration events

DACL Changed on Domain Object Created when the DACL is changed on a domain High
object.
Default Quota for Partition Changed Created when the default object quota for the Medium
Configuration NC, a domain NC, or an application
partition is changed.
Domain Controller Added to Domain Created when a new domain controller is promoted into Medium
the domain.
Domain Controller Removed from Domain Created when a domain controller is demoted from the Medium
domain.
Domain Controller Renamed Created when a domain controller is renamed. Medium
Domain Functional Level Changed Created when the domain functional level is changed. Medium
Domain Group Policy Order Changed Created when the list of group policies linked to a Medium
domain is re-ordered.
Guest Account Disabled Created when the Guest account is disabled in a Medium
domain.
Guest Account Enabled Created when the Guest account is enabled in a Medium
domain.
Infrastructure FSMO Role Owner Moved Created when the infrastructure FSMO role owner is High
changed from one DC to another.
Object Quota Added Created when a new object quota is added to an NC. Medium
Object Quota Removed Created when an object quota is removed from an NC. Medium
PDC FSMO Role Owner Moved Created when the PDC FSMO role owner is changed High
from one DC to another.
Quota Security Principal Changed Created when the security principal for an existing Medium
quota is changed.
Quota Value Changed Created when the quota value for an existing quota is Medium
changed.
Read-Only Domain Controller Added to Created when a Read-Only Domain Controller is added Medium
Domain to a domain.
Read-Only Domain Controller Removed Created when a Read-Only Domain Controller is Medium
from Domain demoted.
Read-Only Domain Controller Renamed Created when a Read-Only Domain Controller is Medium
renamed.
RID FSMO Role Owner Moved Created when the RID FSMO role owner is changed High
from one DC to another.
Tombstone Quota Factor for Partition Created when the quota factor for tombstone objects is Medium
Changed changed for the Configuration NC, a domain NC, or an
application partition.
Trust Added Created when a Trust is created between 2 domains. Medium
Trust Removed Created when a Trust is removed. High
25
Events
Dynamic Access Control
NOTE: Dynamic Access Control is available in Windows® Server 2012; therefore, the events in this facility
do not apply to earlier versions of Windows Server.
Table 14. Dynamic Access Control events

Central Access Policy Created Created when a Central Access Policy is created. Medium
Central Access Policy Description Created when the description of a Central Access Medium
Changed policy is changed.
Central Access Policy Deleted Created when a Central Access Policy is deleted. Medium
Central Access Policy Permission Created when the permission of a Central Access High
Changed Policy is changed.
Central Access Policy Rule Added Created when a rule is added to a Central Access Medium
Policy.
Central Access Policy Rule Changed Created when a rule for a Central Access Policy is Medium
changed.
Central Access Policy Rule Removed Created when a rule is removed from a Central Access Medium
Policy.
Central Access Rule Created Created when a central access rule is created. Medium
Central Access Rule Description Changed Created when the description of a central access rule is Medium
changed.
Central Access Rule Deleted Created when a central access rule is deleted. Medium
Central Access Rule Effective Permission Created when the effective permission of a central High
Changed access rule is changed.
Central Access Rule Permission Changed Created when the permission of a central access rule is High
changed.
Central Access Rule Proposed Created when the proposed permission of a central High
Permission Changed access rule is changed.
Central Access Rule Target Resource Created when the target resource of a central access Medium
Changed rule is changed.
Claim Type AD Attribute Changed Created when an AD attribute for a claim type is Medium
changed.
Claim Type Class Added Created when a claim type class is added. Medium
Claim Type Class Changed Created when a claim type class is changed. Medium
Claim Type Class Removed Created when a claim type class is removed. Medium
Claim Type Created Created when a claim type is created. Medium
Claim Type Deleted Created when a claim type is deleted. Medium
Claim Type Description Changed Created when the description of a claim type is Medium
changed.
Claim Type Disabled Created when a claim type is disabled. Medium
Claim Type Display Name Changed Created when the display name of a claim type is Medium
changed.
Claim Type Enabled Created when a claim type is enabled. Medium
Claim Type Permission Changed Created when the permission of a claim type is High
changed.
Claim Type Suggested Values Changed Created when the suggested values of a claim type are Medium
changed.
26
Events
Table 14. Dynamic Access Control events

Reference Resource Property Created Created when a reference resource property is created. Medium
Reference Resource Property Deleted Created when a reference resource property is deleted. Medium
Reference Resource Property Description Created when the description of a reference resource Medium
Changed property is changed.
Reference Resource Property Disabled Created when a reference resource property is Medium
disabled.
Reference Resource Property Display Created when the display name of a reference resource Medium
Name Changed property is changed.
Reference Resource Property Enabled Created when a reference resource policy is enabled. Medium
Reference Resource Property Permission Created when the permission of a reference resource High
Changed policy is changed.
Resource Property Created Created when a resource property is created. Medium
Resource Property Deleted Created when a resource property is deleted. Medium
Resource Property Description Changed Created when the description for a resource property is Medium
changed.
Resource Property Disabled Created when a resource property is disabled. Medium
Resource Property Display Name Created when the display name for a resource property Medium
Changed is changed.
Resource Property Enabled Created when a resource property is enabled. Medium
Resource Property Permission Changed Created when the permission for a resource property is High
changed.
Resource Property Suggested Values Created when the suggested values for a resource Medium
Changed property are changed.
Resource Property List Created Created when a resource property list is created. Medium
Resource Property List Deleted Created when a resource property list is deleted. Medium
Resource Property List Description Created when the description of a resource property list Medium
Changed is changed.
Resource Property List Member Added Created when a member is added to a resource Medium
property list.
Resource Property List Member Changed Created when a member of a resource property list is Medium
changed.
Resource Property List Member Removed Created when a member is removed from a resource Medium
property list.
Resource Property List Permission Created when the permission of a resource property list High
Changed is changed.
Forest Configuration
Table 15. Forest Configuration events

Alternate UPN Suffix Added to Enterprise Created when an entry is added to the list of alternate Medium
UPN suffixes available for user names.
Alternate UPN Suffix Removed from Created when an entry is removed from the list of Medium
Enterprise alternate UPN suffixes available for user names.
Cross-forest Trust Added Created when a trust is created between 2 forests. Medium
27
Events

Cross-forest Trust Removed Created when a trust is removed between 2 forests. High
Domain Added Created when a domain is added to the partitions High
container.
Domain FSMO Role Owner Moved Created when the domain naming FSMO role owner is High
Domain Removed Created when a domain is removed from the partitions High
container.
Extended Access Right Added Created when a new extended access right object is Medium
added to the system.
Extended Access Right Removed Created when an extended access right object is Medium
removed from the system.
Forest Functional Level Changed Created when the forest functional level is changed. High
GC Added Created when a domain controller is promoted from a Medium
non-GC to a GC.
GC Removed Created when a domain controller is demoted from a High
GC to a non-GC.
Member Added to Critical Enterprise Created when a new member is added to one of the High
Group critical enterprise groups. Critical enterprise groups
include:
• Server Operators
• Print Operators
• Network Configuration Operators
• Incoming Forest Trust Builders
• Backup Operators
• Administrators
• Account Operators
• Cert Publishers
• DHCP Administrators
• Domain Admins
• Domain Controllers
• Enterprise Admins
• Group Policy Creator Owners
• RAS and IAS Servers
• Schema Admins
28
Events

Member Removed from Critical Enterprise Created when a new member is removed from one of High
Group the critical enterprise groups. Critical enterprise groups
include:
• Server Operators
• Print Operators
• Network Configuration Operators
• Incoming Forest Trust Builders
• Backup Operators
• Administrators
• Account Operators
• Cert Publishers
• DHCP Administrators
• Domain Admins
• Domain Controllers
• Enterprise Admins
• Group Policy Creator Owners
• RAS and IAS Servers
• Schema Admins
Nested Member Added to Critical Created when a member is added to a nested group in High
Enterprise Group a critical enterprise group.
Nested Member Removed from Critical Created when a member is removed from a nested Medium
Enterprise Group group in a critical enterprise group.
Query Policy Added Created when a new domain controller query policy is Low
added.
Query Policy Removed Created when a domain controller query policy object is Low
removed.
Schema FSMO Role Owner Moved Created when the schema FSMO role owner is High
Site Added Created when a new site is added to the forest. Medium
Site Link Added Created when a site link is added to either the IP or Medium
SMTP containers.
Site Link Bridge Added Created when a site link bridge is added to either the IP Medium
or SMTP containers.
Site Link Bridge Removed Created when a site link bridge is removed from either High
the IP or SMTP containers.
Site Link Removed Created when a site link is removed from either the IP High
or SMTP containers.
Site Removed Created when a site is removed from the forest. High
Site Renamed Created when an existing site is renamed. Medium
Subnet Added Created when a new subnet is added. Medium
Subnet Removed Created when a subnet is removed. High
29
Events
FRS Service
Table 16. FRS Service events

FRS Access Check Changed Created when an FRS access check is changed. Low
FRS Directory Exclusion Filter List Created when the FRS directory exclusion filter list on a Low
Changed on Domain Controller domain controller is changed.
FRS Directory Exclusion Filter List Created when the FRS directory exclusion filter list on a Low
Changed on Replica Set Replica Set is changed.
FRS File Exclusion Filter List Changed for Created when the FRS file exclusion filter list on a Low
Replica Set Replica Set is changed.
FRS File Exclusion Filter List Changed on Created when the FRS file exclusion filter list on a Low
Domain Controller Domain controller is changed.
FRS Mutual Authentication Setting Created when the FRS mutual authentication is Low
Changed changed.
FRS RPC TCP/IP Port Assignment Created when the FRS TCP/IP port assignment is Low
Changed changed.
FRS Staging Space Limit Changed Created when the FRS Staging space limit is changed. Low
FRS Working Directory Changed Created when the FRS working directory is changed. Low
Group Policy Item

Table 17. Group Policy Item events

Access Credential Manager as a Trusted Created when the Access Credential Manager as a Medium
Caller Trusted Caller policy is changed in a Group Policy
Object.
Access This Computer From The Network Created when the Computer policy Access This Medium
Policy Changed Computer From The Network setting is changed in a
Group Policy Object.
Account Lockout Duration Policy Changed Created when the Computer policy Account Lockout Medium
Duration setting is changed in a Group Policy Object.
Account Lockout Threshold Policy Created when the Computer policy Account Lockout Medium
Changed Threshold setting is changed in a Group Policy Object.
Account Logon: Audit Credential Created when the Account Logon: Audit Credential Medium
Validation Changed Validation policy setting changed in a Group Policy
Object.
Account Logon: Audit Kerberos Created when the Account Logon: Audit Kerberos Medium
Authentication Service Changed Authentication Service policy setting changed in a
Account Logon: Audit Kerberos Service Created when the Account Logon: Audit Kerberos Medium
Ticket Operations Changed Service Ticket Operations policy setting is changed in a
Account Logon: Audit Other Account Created when the Account Logon: Audit Other Medium
Logon Events Changed Application Logon Events policy setting is changed in a
30
Events

Account Management: Audit Application Created when the Account Management: Audit Medium
Group Management Changed Application Group Management policy setting is
changed in a Group Policy Object.
Account Management: Audit Computer Created when the Account Management: Audit Medium
Account Management Changed Computer Account Management policy setting is
Account Management: Audit Distribution Created when the Account Management: Audit Medium
Group Management Changed Distribution Group Management policy setting is
Account Management: Audit Other Created when the Account Management: Audit Other Medium
Account Management Events Changed Account Management Events policy setting is changed
in a Group Policy Object.
Account Management: Audit Security Created when the Account Management: Audit Security Medium
Group Management Changed Group Management policy setting is changed in a
Account Management: Audit User Created when the Account Management: Audit User Medium
Account Management Changed Account Management policy setting is changed in a
Accounts: Administrator Account Status Created when the Accounts: Administrator Account Medium
Policy Changed Status setting is changed in a Group Policy Object.
Accounts: Guest Account Status Policy Created when the Accounts: Guest Account Status Medium
Changed setting is changed in a Group Policy Object.
Accounts: Limit Local Account Use Of Created when the Accounts: Limit Local Account Use Medium
Blank Passwords To Console Logon Only Of Blank Passwords To Console Logon Only setting is
Policy Changed changed in a Group Policy Object.
Accounts: Rename Administrator Account Created when the Accounts: Rename Administrator Medium
Policy Changed Account is changed in a Group Policy Object.
Accounts: Rename Guest Account Policy Created when the Accounts: Rename Guest Account is Medium
Changed changed in a Group Policy Object.
Act As Part Of The Operating System Created when the Computer policy Act As Part Of The Medium
Policy Changed Operating System setting is changed in a Group Policy
Object.
Add Workstations to Domain Policy Created when the Computer policy Add Workstations to Medium
Changed Domain setting is changed in a Group Policy Object.
Adjust Memory Quotas for a Process Created when the Computer policy Adjust Memory Medium
Policy Changed Quotas for a Process setting is changed in a Group
Policy Object.
Allow Log On Locally Policy Changed Created when the Computer policy Allow Log On Medium
Locally setting is changed in a Group Policy Object.
Allow Log On Through Terminal Services Created when the Computer policy Allow Log On Medium
Policy Changed Through Terminal Services setting is changed in a
Audit Account Logon Events Policy Created when the Computer policy Audit Account Medium
Changed Logon Events setting is changed in a Group Policy
Object.
Audit Account Management Policy Created when the Computer policy Audit Account Medium
Changed Management setting is changed in a Group Policy
Object.
Audit Directory Service Access Policy Created when the Computer policy Audit Directory Medium
Changed Service Access setting is changed in a Group Policy
Object.
31
Events

Audit Logon Events Policy Changed Created when the Computer policy Audit Logon Events Medium
setting is changed in a Group Policy Object.
Audit Object Access Policy Changed Created when the Computer policy Audit Object Access Medium
Audit Policy Change Policy Changed Created when the Computer policy Audit Policy Change Medium
Audit Privilege Use Policy Changed Created when the Computer policy Audit Privilege Use Medium
Audit Process Tracking Policy Changed Created when the Computer policy Audit Process Medium
Tracking setting is changed in a Group Policy Object.
Audit System Events Policy Changed Created when the Computer policy Audit System Medium
Events setting is changed in a Group Policy Object.
Audit: Audit the Access of Global System Created when the Audit: Audit the Access of Global Medium
Objects Policy Changed System Objects setting is changed in a Group Policy
Object.
Audit: Audit the Use of Backup and Created when the Audit: Audit the Use of Backup and Medium
Restore Privilege Policy Changed Restore Privilege setting is changed in a Group Policy
Object.
Audit: Force Audit Policy Subcategory Created when the Audit: Force Audit Policy Medium
Settings (Windows Vista or later) to Subcategory Settings (Windows Vista or later) to
Override Audit Policy Category Settings Override Audit Policy Category Settings policy is
Audit: Shut Down System Immediately if Created when the Audit: Shut Down System Medium
Unable to Log Security Audits Policy Immediately if Unable to Log Security Audits setting is
Back Up Files and Directories Policy Created when the Computer policy Back Up Files And Medium
Changed Directories setting is changed in a Group Policy Object.
BitLocker Drive Encryption Added Created when the BitLocker Drive Encryption security Medium
feature is added to a Group Policy Object.
BitLocker Drive Encryption Changed Created when the BitLocker Drive Encryption settings Medium
are changed on a Group Policy Object.
BitLocker Drive Encryption Removed Created when the BitLocker Drive Encryption security Medium
feature is removed from a Group Policy Object.
Bypass Traverse Checking Policy Created when the Computer policy Bypass Traverse Medium
Changed Checking setting is changed in a Group Policy Object.
Central Access Policy Added to Group Created when a Central Access Policy is added to a Medium
Policy Group Policy.
NOTE: Central Access Policy is available in Windows
Server 2012; therefore, this event does not apply to
earlier versions of Windows Server.
Central Access Policy Removed From Created when a Central Access Policy is removed from Medium
Group Policy a Group Policy.
NOTE: Central Access Policy is available in Windows
Server 2012; therefore, this event does not apply to
earlier versions of Windows Server.
Change the System Time Policy Changed Created when the Computer policy Change The Medium
System Time setting is changed in a Group Policy
Object.
Change the Time Zone Created when the Change the Time Zone policy is Medium
32
Events

Computer Administrative Template Setting Created when a setting associated with a Computer Medium
Changed Administrative Template is enabled, changed, or
disabled.
Computer Group Policy Preference Created when a computer preference in a group policy Medium
Setting Changed is enabled, changed, or disabled.
NOTE: Group policy preferences are available in
Windows® 2008 Group Policy Editor.
NOTE: This event is not available in earlier versions of
Windows server.
Computer Group Policy Script setting Created when a computer startup/shutdown script in a Medium
changed group policy is added, changed, or removed.
Computer Public Key Policies Created when any properties of Autoenrollment Medium
Autoenrollment Settings Changed Settings in the Computer Configuration Public Key
Policies Enterprise Trust list are changed.
Computer Public Key Policies Automatic Created when an Automated Certificate Request is Medium
Certificate Request Added added to the Computer Configuration Public Key
Policies Automated Certificate Request Settings.
Computer Public Key Policies Automatic Created when an Automated Certificate Request Medium
Certificate Request Changed setting is changed in the Computer Configuration Public
Key Policies Automated Certificate Request list.
Computer Public Key Policies Automatic Created when an Automated Certificate Request is Medium
Certificate Request Removed removed from the Computer Configuration Public Key
Policies Automated Certificate Request list.
Computer Public Key Policies Encrypting Created when a Data Recovery Agent (DRA) is added Medium
File System DRA Added to the Computer Configuration Public Key Policies
Encrypting File System list.
Computer Public Key Policies Encrypting Created when a Data Recovery Agent (DRA) is Medium
File System DRA Changed changed in the Computer Configuration Public Key
Policies Encrypting File System list.
Computer Public Key Policies Encrypting Created when a Data Recovery Agent (DRA) is Medium
File System DRA Removed removed from the Computer Configuration Public Key
Policies Encrypting File System list.
Computer Public Key Policies Enterprise Created when a certificate is imported into the Medium
Trust List Added Computer Configuration Public Key Policies Enterprise
Trust.
Computer Public Key Policies Enterprise Created when a certificate in the Computer Medium
Trust List Changed Configuration Public Key Policies Enterprise Trust list is
changed.
Computer Public Key Policies Enterprise Created when a certificate in the Computer Medium
Trust List Removed Configuration Public Key Policies Enterprise Trust list is
removed.
Computer Public Key Policies Trusted Created when a certificate is imported into the Medium
Root Certification Authority Added Computer Configuration Public Key Policies Trusted
Root Certification Authorities.
Computer Public Key Policies Trusted Created when a certificate in the Computer Medium
Root Certification Authority Changed Configuration Public Key Policies Trusted Root
Certification Authorities is changed.
Computer Public Key Policies Trusted Created when a certificate in the Computer Medium
Root Certification Authority Removed Configuration Public Key Policies Trusted Root
Certification Authorities is removed.
33
Events

Computer Software Installation Policy Created when a Software Installation is added to the Medium
Added Computer Configuration Group Policy.
Computer Software Installation Policy Created when a Software Installation is changed in the Medium
Changed Computer Configuration Group Policy.
Computer Software Installation Policy Created when a Software Installation is removed from Medium
Removed the Computer Configuration Group Policy.
Computer Software Restriction Basic User Created when a Basic User Hash Rule has been added Medium
Hash Rule Added to Computer Configuration Software Restriction
policies.
Computer Software Restriction Basic User Created when a Basic User Hash Rule has changed in Medium
Hash Rule Changed Computer Configuration Software Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Hash Rule removed from Medium
Hash Rule Removed Computer Configuration Software Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Path Rule has been added Medium
Path Rule Added to Computer Configuration Software Restriction
policies.
Computer Software Restriction Basic User Created when a Basic User Path Rule has changed in Medium
Path Rule Changed Computer Configuration Software Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Path Rule has been Medium
Path Rule Removed removed from Computer Configuration Software
Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Zone Rule added to Medium
Zone Rule Added Computer Configuration Software Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Zone Rule changed in Medium
Zone Rule Changed Computer Configuration Software Restriction policies.
Computer Software Restriction Basic User Created when a Basic User Zone Rule removed from Medium
Zone Rule Removed Computer Configuration Software Restriction policies.
Computer Software Restriction Created when the Designated File Types policy is Medium
Designated File Types Changed changed in the Software Restriction Policies.
Computer Software Restriction Disallowed Created when a Disallowed level Certificate Rule is Medium
Certificate Rule Added added to the Software Restriction Policies Additional
Rules.
Certificate Rule Changed changed in the Software Restriction Policies Additional
Rules.
Certificate Rule Removed removed from the Software Restriction Policies
Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Hash Rule is added to Medium
Hash Rule Added the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Hash Rule is changed Medium
Hash Rule Changed in the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Hash Rule is removed Medium
Hash Rule Removed from the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Path Rule is added to Medium
Path Rule Added the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Path Rule is changed Medium
Path Rule Changed in the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Path Rule is removed Medium
Path Rule Removed from the Software Restriction Policies Additional Rules.
34
Events

Computer Software Restriction Disallowed Created when a Disallowed level Zone Rule is added to Medium
Zone Rule Added the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Zone Rule is changed Medium
Zone Rule Changed in the Software Restriction Policies Additional Rules.
Computer Software Restriction Disallowed Created when a Disallowed level Zone Rule is removed Medium
Zone Rule Removed from the Software Restriction Policies Additional Rules.
Computer Software Restriction Created when an Enforcement Policy Applicable Files Medium
Enforcement Files Changed option is changed in the Software Restriction Policies.
Computer Software Restriction Created when an Enforcement Policy Applicable Users Medium
Enforcement Users Changed option is changed in the Software Restriction Policies.
Computer Software Restriction Policies Created when the default security level in the Computer Medium
Default Security Level Changed Configuration Software Restriction Policies Security
Levels folder is changed.
Computer Software Restriction Trusted Created when the Trusted Publisher policy is changed Medium
Publishers Changed in the Software Restriction Policies Additional Rules.
Computer Software Restriction Created when an Unrestricted level Certificate Rule is Medium
Unrestricted Certificate Rule Added added to the Software Restriction Policies Additional
Rules.
Unrestricted Certificate Rule Changed changed in the Software Restriction Policies Additional
Rules.
Unrestricted Certificate Rule Removed removed from the Software Restriction Policies
Additional Rules.
Computer Software Restriction Created when an Unrestricted level Hash Rule is added Medium
Unrestricted Hash Rule Added to the Software Restriction Policies Additional Rules.
Computer Software Restriction Created when an Unrestricted level Hash Rule is Medium
Unrestricted Hash Rule Changed changed in the Software Restriction Policies Additional
Rules.
Computer Software Restriction Created when an Unrestricted level Hash Rule is Medium
Unrestricted Hash Rule Removed removed from the Software Restriction Policies
Additional Rules.
Computer Software Restriction Created when an Unrestricted level Path Rule is added Medium
Unrestricted Path Rule Added to the Software Restriction Policies Additional Rules.
Computer Software Restriction Created when an Unrestricted level Path Rule is Medium
Unrestricted Path Rule Changed changed in the Software Restriction Policies Additional
Rules.
Computer Software Restriction Created when an Unrestricted level Path Rule is Medium
Unrestricted Path Rule Removed removed from the Software Restriction Policies
Additional Rules.
Computer Software Restriction Created when an Unrestricted level Zone Rule is added Medium
Unrestricted Zone Rule Added to the Software Restriction Policies Additional Rules.
Computer Software Restriction Created when an Unrestricted level Zone Rule is Medium
Unrestricted Zone Rule Changed changed in the Software Restriction Policies Additional
Rules.
Computer Software Restriction Created when an Unrestricted level Zone Rule is Medium
Unrestricted Zone Rule Removed removed from the Software Restriction Policies
Additional Rules.
Create a Pagefile Policy Changed Created when the Computer policy Create A Pagefile Medium
35
Events

Create a Token Object Policy Changed Created when the Computer policy Create A Token Medium
Object setting is changed in a Group Policy Object.
Create Global Objects Policy Changed Created when the Computer policy Create Global Medium
Objects setting is changed in a Group Policy Object.
Create Permanent Shared Objects Policy Created when the Computer policy Create Permanent Medium
Changed Shared Objects setting is changed in a Group Policy
Object.
Create Symbolic Links Created when the Create Symbolic Links policy is Medium
DCOM: Machine Access Restrictions Created when the DCOM: Machine Access Restrictions Medium
Policy Defined policy setting is defined on a Group Policy Object.
Policy Undefined policy setting is undefined on a Group Policy Object.
Security Settings Changed in Security Descriptor Definition (SDDL) Syntax security
DCOM: Machine Launch Restrictions Created when the DCOM: Machine Launch Restrictions Medium
Policy Defined policy setting is defined on a Group Policy Object.
Policy Undefined policy setting is undefined on a Group Policy Object.
Security Settings Changed in Security Descriptor Definition (SDDL) Syntax security
Debug Programs Policy Changed Created when the Computer policy Debug Programs Medium
Deny Access to this Computer from the Created when the Computer policy Deny Access to this Medium
Network Policy Changed Computer from the Network setting is changed in a
Deny Log On as a Batch Job Policy Created when the Computer policy Deny Log On as a Medium
Changed Batch Job setting is changed in a Group Policy Object.
Deny Log On as a Service Policy Created when the Computer policy Deny Log On As A Medium
Changed Service setting is changed in a Group Policy Object.
Deny Log On Locally Policy Changed Created when the Computer policy Deny Log On Medium
Locally setting is changed in a Group Policy Object.
Deny Log On Through Terminal Services Created when the Computer policy Deny Log On Medium
/Remote Desktop Service Policy Changed Through Terminal Services setting is changed in a
Detailed Tracking: Audit DPAPI Activity Created when the Detailed Tracking: Audit DPAPI Medium
Changed Activity policy setting is changed in a Group Policy
Object.
Detailed Tracking: Audit Process Creation Created when the Detailed Tracking: Audit Process Medium
Changed Creation policy setting is changed in a Group Policy
Object.
Detailed Tracking: Audit Process Created when the Detailed Tracking: Audit Process Medium
Termination Changed Termination policy setting is changed in a Group Policy
Object.
Detailed Tracking: Audit RPC Events Created when the Detailed Tracking: Audit RPC Events Medium
Changed policy setting is changed in a Group Policy Object.
36
Events

Devices: Allow Undock Without Having to Created when the Devices: Allow Undock Without Medium
Logon Policy Changed Having To Logon setting is changed in a Group Policy
Object.
Devices: Allowed to Format and Eject Created when the Devices: Allowed To Format And Medium
Removable Media Policy Changed Eject Removable Media setting is changed in a Group
Policy Object.
Devices: Prevent Users from Installing Created when the Devices: Prevent Users From Medium
Printer Drivers Policy Changed Installing Printer Drivers setting is changed in a Group
Policy Object.
Devices: Restrict CD-ROM Access to Created when the Devices: Restrict CD-ROM Access Medium
Locally Logged-On User Only Policy To Locally Logged-On User Only setting is changed in a
Changed Group Policy Object.
Devices: Restrict Floppy Access to Locally Created when the Devices: Restrict Floppy Access To Medium
Logged-On User Only Policy Changed Locally Logged-On User Only setting is changed in a
Devices: Unsigned Driver Installation Created when the Devices: Unsigned Driver Installation Medium
Behavior Policy Changed Behavior setting is changed in a Group Policy Object.
Domain Controller: Allow Server Created when the Domain controllers: Allow Server Medium
Operators to Schedule Tasks Policy Operators To Schedule Tasks setting is changed in a
Domain Controller: LDAP Server Signing Created when the Domain controllers: LDAP Server Medium
Requirements Policy Changed Signing Requirements setting is changed in a Group
Policy Object.
Domain Controller: Refuse Machine Created when the Domain controllers: Refuse Machine Medium
Account Password Changes Policy Account Password Changes setting is changed in a
Domain Member: Digitally Encrypt or Sign Created when the Domain Member: Digitally Encrypt Or Medium
Secure Channel Data (Always) Policy Sign Secure Channel Data (Always) setting is changed
Changed in a Group Policy Object.
Domain Member: Digitally Encrypt Secure Created when the Domain Member: Digitally Encrypt Medium
Channel Data (When Possible) Policy Secure Channel Data (When Possible) setting is
Domain Member: Digitally Sign Secure Created when the Domain Member: Digitally Sign Medium
Channel Data (When Possible) Policy Secure Channel Data (When Possible) setting is
Domain Member: Disable Machine Created when the Domain Member: Disable Machine Medium
Account Password Changes Policy Account Password Changes setting is changed in a
Domain Member: Maximum Machine Created when the Domain Member: Maximum Machine Medium
Account Password Age Policy Changed Account Password Age setting is changed in a Group
Policy Object.
Domain Member: Require Strong Created when the Domain Member: Require Strong Medium
(Windows 2000 or Later) Session Key (Windows 2000 Or Later) Session Key setting is
DS Access: Audit Detailed Directory Created when the DS Access: Audit Detailed Directory Medium
Service Replication Changed Service Replication policy setting is changed in a Group
Policy Object.
DS Access: Audit Directory Service Created when the DS Access: Audit Directory Service Medium
Access Changed Access policy setting is changed in a Group Policy
Object.
37
Events

Changes Changed Changes policy setting is changed in a Group Policy
Object.
Replication Changed Replication policy setting is changed in a Group Policy
Object.
Enable Computer and User Accounts to Created when the Computer policy Enable Computer Medium
be Trusted for Delegation Changed And User Accounts To Be Trusted For Delegation
Policy setting is changed in a Group Policy Object.
Enforce Password History Policy Changed Created when the Computer policy Enforce Password Medium
History setting is changed in a Group Policy Object.
Enforce User Logon Restrictions Policy Created when the Computer policy Enforce User Logon Medium
Changed Restrictions setting is changed in a Group Policy
Object.
File or Folder Added to File System Policy Created when a registry key is added to the File System Medium
policy.
File or Folder Changed in File System Created when a file or folder is changed in the File Medium
Policy System policy.
File or Folder Removed from File System Created when a file or folder is removed from the File Medium
Policy System policy.
Force Shutdown from a Remote System Created when the Computer policy Force Shutdown Medium
Policy Changed From A Remote System setting is changed in a Group
Policy Object.
Generate Security Audits Policy Changed Created when the Computer policy Generate Security Medium
Audits setting is changed in a Group Policy Object.
Global Object Access Auditing: File Created when the Global Object Auditing: File System Medium
System Changed security policy is changed.
Global Object Access Auditing: Registry Create when the Global Object Auditing: Registry Medium
Changed security policy is changed.
Group Added To Restricted Group Policy Created when a group is added to the Restricted Group Medium
policy in a Group Policy Object.
Group Removed from Restricted Group Created when a group is removed from the Restricted Medium
Policy Group policy in a Group Policy Object.
Impersonate a Client after Authentication Created when the Computer policy Impersonate A Medium
Policy Changed Client After Authentication setting is changed in a
Increase a Process Working Set Created when the Increase a Process Working Set Medium
policy is change in a Group Policy Object.
Increase Scheduling Priority Policy Created when the Computer policy Increase Medium
Changed Scheduling Priority setting is changed in a Group Policy
Object.
Interactive Logon: Display User Created when the Interactive Logon: Display User Medium
Information When the Session is Locked Information When the Session is Locked setting is
Interactive Logon: Do Not Display Last Created when the Interactive Logon: Do Not Display Medium
User Name Policy Changed Last User Name setting is changed in a Group Policy
Object.
Interactive Logon: Do Not Require Created when the Interactive Logon: Do Not Require Medium
CTRL+ALT+DEL Policy Changed CTRL+ALT+DEL setting is changed in a Group Policy
Object.
38
Events

Interactive Logon: Message Text for Users Created when the Interactive Logon: Message Text For Medium
Attempting to Log On Policy Changed Users Attempting To Log On setting is changed in a
Interactive Logon: Message Title for Users Created when the Interactive Logon: Message Title For Medium
Attempting to Log On Policy Changed Users Attempting To Log On setting is changed in a
Interactive Logon: Number Of Previous Created when the Interactive Logon: Number Of Medium
Logons To Cache (In Case Domain Previous Logons To Cache setting is changed in a
Controller is Not Available) Policy Group Policy Object.
Changed
Interactive Logon: Prompt User to Change Created when the Interactive Logon: Prompt User To Medium
Password Before Expiration Policy Change Password Before Expiration setting is changed
Changed in a Group Policy Object.
Interactive Logon: Require Domain Created when the Interactive Logon: Require Domain Medium
Controller Authentication to Unlock controller Authentication to Unlock Workstation setting
Workstation Policy Changed is changed in a Group Policy Object.
Interactive Logon: Require Smart Card Created when the Interactive Logon: Require Smart Medium
Policy Changed Card setting is changed in a Group Policy Object.
Interactive Logon: Smart Card Removal Created when the Interactive Logon: Smart Card Medium
Behavior Policy Changed Removal Behavior setting is changed in a Group Policy
Object.
Intermediate Certificate Authorities Added Created when an Intermediate Certification Authorities Medium
(CA) certificate is added to a Group Policy Object.
Intermediate Certificate Authorities Created when the Intermediate Certification Authorities Medium
Changed certificate is changed on a Group Policy Object.
Intermediate Certificate Authorities Created when an Intermediate Certification Authorities Medium
Removed (CA) certificate is removed from a Group Policy Object.
IP Security Policy Assigned Created when an IP Security Policy is assigned in the Medium
Computer Configuration Group Policy.
IP Security Policy Un-assigned Created when an IP Security Policy is un-assigned in Medium
the Computer Configuration Group Policy.
Load and Unload Device Drivers Policy Created when the Computer policy Load And Unload Medium
Changed Device Drivers setting is changed in a Group Policy
Object.
Lock Pages in Memory Policy Changed Created when the Computer policy Lock Pages In Medium
Memory setting is changed in a Group Policy Object.
Log On as a Batch Job Policy Changed Created when the Computer policy Log On As A Batch Medium
Job setting is changed in a Group Policy Object.
Log On as a Service Policy Changed Created when the Computer policy Log On As A Medium
Service setting is changed in a Group Policy Object.
Logon/Logoff: Audit Account Lockout Created when the Logon/Logoff: Audit Account Lockout Medium
Logon/Logoff: Audit IPsec Extended Mode Created when the Logon/Logoff: Audit IPsec Extended Medium
Changed Mode policy setting is changed in a Group Policy
Object.
Logon/Logoff: Audit IPsec Main Mode Created when the Logon/Logoff: Audit IPsec Main Medium
Object.
Logon/Logoff: Audit IPsec Quick Mode Created when the Logon/Logoff: Audit IPsec Quick Medium
Object.
39
Events

Logon/Logoff: Audit Logoff Changed Created when the Logon/Logoff: Audit Logoff policy Medium
Logon/Logoff: Audit Logon Changed Created when the Logon/Logoff: Audit Logon policy Medium
Logon/Logoff: Audit Network Policy Server Created when the Logon/Logoff: Audit Network Policy Medium
Changed Server policy setting is changed in a Group Policy
Object.
Logon/Logoff: Audit Other Logon/Logoff Created when the Logon/Logoff: Audit Other Medium
Events Changed Logon/Logoff Events policy setting is changed in a
Logon/Logoff: Audit Special Logon Created when the Logon/Logoff: Audit Special Logon Medium
Manage Auditing and Security Log Policy Created when the Manage Auditing And Security Log Medium
Maximum Application Log Size Policy Created when the Maximum Application Log Size Medium
Maximum Lifetime for Service Ticket Created when the Computer policy Maximum Lifetime Medium
Policy Changed for Service Ticket setting is changed in a Group Policy
Object.
Maximum Lifetime for User Ticket Policy Created when the Computer policy Maximum Lifetime Medium
Changed for User Ticket setting is changed in a Group Policy
Object.
Maximum Lifetime for User Ticket Created when the Computer policy Maximum Lifetime Medium
Renewal Policy Changed for User Ticket Renewal setting is changed in a Group
Policy Object.
Maximum Password Age Policy Changed Created when the Computer policy Maximum Password Medium
Age setting is changed in a Group Policy Object.
Maximum Security Log Size Policy Created when the Maximum Security Log Size setting Medium
Changed is changed in a Group Policy Object.
Maximum System Log Size Policy Created when the Maximum System Log Size setting is Medium
Maximum Tolerance for Computer Clock Created when the Computer policy Maximum Tolerance Medium
Synchronization Policy Changed for Computer Clock Synchronization setting is changed
Member Added to Group in the Restricted Created when a member is added to a group in the Medium
Group Policy Restricted Group policy of a Group Policy Object.
Member Removed from Group in the Created when a member is removed from a group in Medium
Restricted Group Policy the Restricted Group policy of a Group Policy Object.
Membership Added to Group in the Created when a membership is added to a group in the Medium
Restricted Group Policy Restricted Group policy of a Group Policy Object.
Membership Removed from Group in the Created when a membership is removed from a group Medium
Restricted Group Policy in the Restricted Group policy of a Group Policy Object.
Microsoft Network Client: Digitally Sign Created when the Microsoft® Network Client: Digitally Medium
Communications (Always) Policy Sign Communications (Always) setting is changed in a
Microsoft Network Client: Digitally Sign Created when the Microsoft Network Client: Digitally Medium
Communications (If Server Agrees) Policy Sign Communications (If Server Agrees) setting is
40
Events

Microsoft Network Client: Send Created when the Microsoft Network Client: Send Medium
Unencrypted Password to Connect to Unencrypted Password to Connect to Third-Party SMB
Third-Party SMB Servers Policy Changed Servers setting is changed in a Group Policy Object.
Microsoft Network Server: Amount of Idle Created when the Microsoft Network Server: Amount of Medium
Time Required Before Suspending Idle Time Required Before Suspending Sessions
Sessions Policy Changed setting is changed in a Group Policy Object.
Microsoft Network Server: Digitally Sign Created when the Microsoft Network Server: Digitally Medium
Communications (Always) Policy Sign Communications (Always) setting is changed in a
Microsoft Network Server: Digitally Sign Created when the Microsoft Network Server: Digitally Medium
Communications (If Client Agrees) Policy Sign Communications (If Client Agrees) setting is
Microsoft Network Server: Disconnect Created when the Microsoft Network Server: Medium
Clients When Logon Hours Expire Policy Disconnect Clients When Logon Hours Expire setting is
Microsoft Network Server: Server SPN Created when the Microsoft Network Server: Server Medium
Target Name Validation Level SPN Target Name Validation Level policy is changed in
a Group Policy Object.
Minimum Password Age Policy Changed Created when the Computer policy Minimum Password Medium
Age setting is changed in a Group Policy Object.
Minimum Password Length Policy Created when the Computer policy Minimum Password Medium
Changed Length setting is changed in a Group Policy Object.
Modify an Object Label Created when the Modify an Object Label policy is Medium
Modify Firmware Environment Policy Created when the Modify Firmware Environment setting Medium
NAP Client Health Registration Settings: Created when the Cryptographic Service Provider Medium
CSP Changed (CSP) is changed in a NAP client request policy.
NAP Client Health Registration Settings: Created when the CSP asymmetric key length is Medium
CSP Key Length Changed changed in a NAP client request policy.
NAP Client Health Registration Settings: Created when the hash algorithm is changed in a NAP Medium
Hash Algorithm Changed client request policy.
NAP Client Health Registration Settings: Created when the server verification (HTTP) setting is Medium
Require Server Verification Changed enabled or disabled in a NAP client configuration.
NAP Client Health Registration Settings: Created when a new trusted server group is created in Medium
Trusted Server Group Added a NAP client configuration.
NAP Client Health Registration Settings: Created when a trusted server group is removed from a Medium
Trusted Server Group Removed NAP client configuration.
NAP Client Health Registration Settings: Created when a new URL for a HRA server is added to Medium
Trusted Server URL Added the trusted server group in a NAP client configuration.
NAP Client Health Registration Settings: Created when an existing URL for a HRA server is Medium
Trusted Server URL Changed modified in a NAP client configuration.
NAP Client Health Registration Settings: Created when a URL for a HRA server is removed from Medium
Trusted Server URL Removed the trusted server group in a NAP client configuration.
NAP User Interface Description Changed Created when the description field on the NAP Status Medium
User Interface properties dialog is changed for an NAP
client configuration.
NAP User Interface Image File Changed Created when the image file is changed on the NAP Medium
Status User Interface properties dialog for an NAP
41
Events

NAP User Interface Image File Name Created when the image file name is changed on the Medium
Changed NAP Status User Interface properties dialog for an NAP
NAP User Interface Title Changed Created when the title field on the NAP Status User Medium
Interface properties dialog is changed for an NAP client
configuration.
NAP: DHCP Quarantine Enforcement Created when the DHCP Quarantine Enforcement Medium
Client Changed Client setting is enabled or disabled for an NAP client
configuration.
NAP: EAP Quarantine Enforcement Client Created when the EAP Quarantine Enforcement Client Medium
Changed setting is enabled or disabled for an NAP client
configuration.
NAP: IPsec Relying Party Changed Create when the IPsec Relying Party setting is enabled Medium
or disabled for an NAP client configuration.
NAP: RD Gateway Quarantine Created when the RD Gateway Quarantine Medium
Enforcement Client Changed Enforcement Client setting is enabled or disabled for an
NAP client configuration.
NAP: Remote Access Enforcement Client Created when the Remote Access Enforcement Client Medium
for Windows XP and Windows Vista for Windows XP and Windows Vista setting is enabled
Changed or disabled for an NAP client configuration.
NAP: Wireless EAPOL Enforcement Created when the Wireless EAPOL Enforcement Client Medium
Client for Windows XP Changed for Windows XP setting is enabled or disabled for an
NAP client configuration.
Network Access: Allow Anonymous Created when the Network Access: Allow Anonymous Medium
SID/Name Translation Policy Changed SID/Name Translation setting is changed in a Group
Policy Object.
Network Access: Do Not Allow Created when the Network Access: Do Not Allow Medium
Anonymous Enumeration of SAM Anonymous Enumeration Of SAM Accounts and
Accounts And Shares Policy Changed Shares setting is changed in a Group Policy Object.
Network Access: Do Not Allow Created when the Network Access: Do Not Allow Medium
Anonymous Enumeration of SAM Anonymous Enumeration Of SAM Accounts setting is
Accounts Policy Changed changed in a Group Policy Object.
Network Access: Do Not Allow Storage of Created when the Network Access: Do Not Allow Medium
Credentials or .NET Passports for Storage of Credentials or .NET Passports for Network
Network Authentication Policy Changed Authentication setting is changed in a Group Policy
Object.
Network Access: Let Everyone Created when the Network Access: Let Everyone Medium
Permissions Apply to Anonymous Users Permissions Apply to Anonymous Users setting is
Network Access: Named Pipes that can Created when the Network Access: Named Pipes that Medium
be Accessed Anonymously Policy can be Accessed Anonymously setting is changed in a
Network Access: Remotely Accessible Created when the Network Access: Remotely Medium
Registry Paths and Sub-Paths Changed Accessible Registry Paths And Sub-Paths setting is
Network Access: Remotely Accessible Created when the Network Access: Remotely Medium
Registry Paths Policy Changed Accessible Registry Paths setting is changed in a
Network Access: Restrict Anonymous Created when the Network Access: Restrict Medium
Access to Named Pipes and Shares Anonymous Access To Named Pipes and Shares
Policy Changed setting is changed in a Group Policy Object.
42
Events

Network Access: Shares that can be Created when the Network Access: Shares that can be Medium
Accessed Anonymously Policy Changed Accessed Anonymously setting is changed in a Group
Policy Object.
Network Access: Sharing and Security Created when the Network Access: Sharing and Medium
Model for Local Accounts Changed Security Model for Local Accounts setting is changed in
Network Security: Allow Local System to Created when the Network Security: Allow Local Medium
Use Computer Identity for NTLM System to Use Computer Identity for NTLM setting is
Network Security: Allow LocalSystem Created when the Network Security: Allow LocalSystem Medium
NULL Session Fallback NULL Session Fallback setting is changed in a Group
Policy Object.
Network Security: Allow PKU2U Created when the Network Security: Allow PKU2U Medium
Authentication Requests to this Computer Authentication Requests to this Computer to use Online
to use Online Identities Identities setting is changed in a Group Policy Object.
Network Security: Configure Encryption Created when the Network Security: Configure Medium
Types Allowed for Kerberos Encryption Types Allowed for Kerberos setting is
Network Security: Do Not Store LAN Created when the Network Security: Do Not Store LAN Medium
Manager Hash Value on Next Password Manager Hash Value on Next Password Change setting
Change Policy Changed is changed in a Group Policy Object.
Network Security: Force Logoff When Created when the Network Security: Force Logoff Medium
Logon Hours Expire Policy Changed When Logon Hours Expire setting is changed in a
Network Security: LAN Manager Created when the Network Security: LAN Manager Medium
Authentication Level Policy Changed Authentication Level setting is changed in a Group
Policy Object.
Network Security: LDAP Client Signing Created when the Network Security: LDAP Client Medium
Requirements Policy Changed Signing Requirements setting is changed in a Group
Policy Object.
Network Security: Minimum Session Created when the Network Security: Minimum Session Medium
Security for NTLM SSP Based (Including Security for NTLM SSP Based (Including Secure RPC)
Secure RPC) Clients Policy Changed Clients setting is changed in a Group Policy Object.
Network Security: Minimum Session Created when the Network Security: Minimum Session Medium
Security for NTLM SSP Based (Including Security for NTLM SSP Based (Including Secure RPC)
Secure RPC) Servers Policy Changed Servers setting is changed in a Group Policy Object.
Network Security: Restrict NTLM: Add Created when the Network Security: Restrict NTLM: Medium
Remote Server Exceptions for NTLM Add Remote Server Exceptions for NTLM
Authentication Authentication policy setting is changed in a Group
Policy Object.
Network Security: Restrict NTLM: Add Created when the Network Security: Restrict NTLM: Medium
Server Exceptions in This Domain Add Server Exceptions in This Domain policy setting is
Network Security: Restrict NTLM: Audit Created when the Network Security: Restrict NTLM: Medium
Incoming NTLM Traffic Audit Incoming NTLM Traffic policy setting is changed
Network Security: Restrict NTLM: Audit Created when the Network Security: Restrict NTLM: Medium
NTLM Authentication in This Domain Audit NTLM Authentication in This Domain policy
Network Security: Restrict NTLM: Created when the Network Security: Restrict NTLM: Medium
Incoming NTLM Traffic Incoming NTLM Traffic policy setting is changed in a
43
Events

Network Security: Restrict NTLM: NTLM Created when the Network Security: Restrict NTLM: Medium
Authentication in This Domain NTLM Authentication in This Domain policy setting is
Network Security: Restrict NTLM: Created when the Network Security: Restrict NTLM: Medium
Outgoing NTLM Traffic to Remote Servers Outgoing NTLM Traffic to Remote Servers policy setting
is changed in a Group Policy Object.
NLM: Location Type Added Created when an NLM: Location Type is added to a Medium
NLM: Location Type Changed Created when an NLM: Location Type is changed in a Medium
NLM: Location Type Permissions Added Created when an NLM: Location Type Permission is Medium
added to a Group Policy Object.
NLM: Location Type Permissions Created when an NLM: Location Type Permission is Medium
NLM: Location Type Permissions Created when an NLM: Location Type Permission is Medium
Removed removed from a Group Policy Object.
NLM: Location Type Removed Created when an NLM: Location Type is removed from Medium
NLM: Network Icon Added Created when an NLM: Network Icon is added to a Medium
NLM: Network Icon Changed Created when an NLM: Network Icon is changed in a Medium
NLM: Network Icon Permissions Added Created when an NLM: Network Icon Permission is Medium
NLM: Network Icon Permissions Changed Created when an NLM: Network Icon Permission is Medium
NLM: Network Icon Permissions Removed Created when an NLM: Network Icon Permission is Medium
removed from a Group Policy Object.
NLM: Network Icon Removed Created when an NLM: Network Icon is removed from a Medium
NLM: Network Name Added Created when an NLM: Network Name is added to a Medium
NLM: Network Name Changed Created when an NLM: Network Name is changed in a Medium
NLM: Network Name Permissions Added Created when an NLM: Network Name Permission is Medium
NLM: Network Name Permissions Created when an NLM: Network Name Permission is Medium
NLM: Network Name Permissions Created when an NLM: Network Name Permission is Medium
Removed removed from a Group Policy Object.
NLM: Network Name Removed Created when an NLM: Network Name is removed from Medium
Object Access: Audit Application Created when the Object Access: Audit Application Medium
Generated Changed Generated policy setting is changed in a Group Policy
Object.
Object Access: Audit Certification Created when the Object Access: Audit Certification Medium
Services Changed Services policy setting is changed in a Group Policy
Object.
Object Access: Audit File Share Changed Created when the Object Access: Audit File Share Medium
policy setting is changed in a Group Policy Object.
44
Events

Object Access: Audit File System Created when the Object Access: Audit File System Medium
Object Access: Audit Filtering Platform Created when the Object Access: Audit Filtering Medium
Connection Changed Platform Connection policy setting is changed in a
Object Access: Audit Filtering Platform Created when the Object Access: Audit Filtering Medium
Packet Drop Changed Platform Packet Drop policy setting is changed in a
Object Access: Audit Handle Manipulation Created when the Object Access: Audit Handle Medium
Changed Manipulation policy setting is changed in a Group Policy
Object.
Object Access: Audit Kernel Object Created when the Object Access: Audit Kernel Object Medium
Object Access: Audit Other Object Access Created when the Object Access: Audit Other Object Medium
Events Changed Access Events policy setting is changed in a Group
Policy Object.
Object Access: Audit Registry Changed Created when the Object Access: Audit Registry policy Medium
Object Access: Audit SAM Changed Created when the Object Access: Audit SAM policy Medium
Object Access: Detailed File Share Created when the Object Access: Audit Detailed File Medium
Changed Share policy setting is changed in a Group Policy
Object.
Password Must Meet Complexity Created when the Computer policy Password Must Medium
Requirements Policy Changed Meet Complexity Requirements setting is changed in a
Perform Volume Maintenance Tasks Created when the Perform Volume Maintenance Tasks Medium
Policy Changed setting is changed in a Group Policy Object.
Permissions Changed on a System Created when permissions change in a System Medium
Services Policy Services Policy in a Group Policy Object.
Policy Change: Audit Audit Policy Change Created when the Policy Change: Audit Audit Policy Medium
Changed Change security setting is changed in a Group Policy
Object.
Policy Change: Audit Authentication Created when the Policy Change: Audit Authentication Medium
Policy Change Changed Policy Change security setting is changed in a Group
Policy Object.
Policy Change: Audit Authorization Policy Created when the Policy Change: Audit Authorization Medium
Change Changed Policy Change security setting is changed in a Group
Policy Object.
Policy Change: Audit Filtering Platform Created when the Policy Change: Audit Filtering Medium
Policy Change Changed Platform Policy Change security setting is changed in a
Policy Change: Audit MPSSVC Rule- Created when the Policy Change: Audit MPSSVC Rule- Medium
Level Policy Change Changed Level Policy Change security setting is changed in a
Policy Change: Audit Other Policy Change Created when the Policy Change: Audit Other Policy Medium
Events Changed Change Events security setting is changed in a Group
Policy Object.
Prevent Local Guests Group from Created when the Prevent Local Guests Group from Medium
Accessing Application Log Policy Change Accessing Application Log setting is changed in a
45
Events

Prevent Local Guests Group from Created when the Prevent Local Guests Group from Medium
Accessing Security Log Policy Changed Accessing Security Log setting is changed in a Group
Policy Object.
Prevent Local Guests Group From Created when the Prevent Local Guests Group From Medium
Accessing System Log Policy Changed Accessing System Log setting is changed in a Group
Policy Object.
Privilege Use: Audit Non Sensitive Created when the Privilege Use: Audit Non Sensitive Medium
Privilege Use Changed Privilege Use security setting is changed in a Group
Policy Object.
Privilege Use: Audit Other Privilege Use Created when the Privilege Use: Audit Other Privilege Medium
Events Changed Use Events security setting is changed in a Group
Policy Object.
Privilege Use: Audit Sensitive Privilege Created when the Privilege Use: Audit Sensitive Medium
Use Changed Privilege Use security setting is changed in a Group
Policy Object.
Profile Single Process Policy Changed Created when the Profile Single Process setting is Medium
Profile System Performance Policy Created when the Profile System Performance setting Medium
QoS Policy: Application Name Changed Created when the application name specified in a QoS Medium
policy is changed.
QoS Policy: DSCP Value Changed Created when the DSCP value specified in a QoS Medium
policy is changed.
QoS Policy: Local IP Changed Created when the source IP address specified in a QoS Medium
policy is changed.
QoS Policy: Local IP Prefix Length Created when the prefix length of the source IP address Medium
Changed specified in a QoS policy is changed.
QoS Policy: Local Port Changed Created when the source port specified in a Qos policy Medium
is changed.
QoS Policy: Protocol Changed Created when the protocol to which a QoS policy Medium
applies is changed.
QoS Policy: Remote IP Changed Created when the destination IP address specified in a Medium
QoS policy is changed.
QoS Policy: Remote IP Prefix Length Created when the prefix length of the destination IP Medium
Changed address specified in a QoS policy is changed.
QoS Policy: Remote Port Changed Created when the destination port specified in a QoS Medium
policy is changed.
QoS Policy: Throttle Rate Changed Created when the traffic throttle rate setting or value is Medium
modified in a QoS policy.
QoS Policy: URL Changed Created when HTTP or HTTPS URL specified in a QoS Medium
policy is changed.
QoS Policy: URL Recursive Changed Created when the Include subdirectories and files Medium
option is enabled or disabled for a QoS policy.
QoS Policy: Version Changed Created when the version specified in a QoS policy is Medium
changed.
Recovery Console: Allow Automatic Created when the Recovery Console: Allow Automatic Medium
Administrative Logon Policy Changed Administrative Logon setting is changed in a Group
Policy Object.
46
Events

Recovery Console: Allow Floppy Copy Created when the Recovery Console: Allow Floppy Medium
And Access Policy Changed Copy And Access To All Drives And All Folders setting
Registry Key Added to Registry Policy Created when a registry key is added to the Registry Medium
policy.
Registry Key Changed in Registry Policy Created when a registry key is changed in the Registry Medium
policy.
Registry Key Removed from Registry Created when a registry key is removed from the Medium
Policy Registry policy.
Remove Computer from Docking Station Created when the Remove Computer From Docking Medium
Policy Changed Station setting is changed in a Group Policy Object.
Replace a Process Level Token Policy Created when the Replace a Process Level Token Medium
Reset Account Lockout Counter After Created when the Computer policy Reset Account Medium
Change Policy Changed Lockout Counter After Change setting is changed in a
Restore Files and Directories Policy Created when the Restore Files and Directories setting Medium
Retain Application Log Policy Changed Created when the Retain Application Log setting is Medium
Retain Security Log Policy Changed Created when the Retain Security Log setting is Medium
Retain System Log Policy Changed Created when the Retain System Log setting is Medium
Retention Method for Application Log Created when the Retention Method For Application Medium
Policy Changed Log setting is changed in a Group Policy Object.
Retention Method for Security Log Policy Created when the Retention Method For Security Log Medium
Retention Method for System Log Policy Created when the Retention Method For System Log Medium
Secure System Partition (For RISC Created when the Secure System Partition (For RISC Medium
Platforms only) Policy Changed Platforms Only) setting is changed in a Group Policy
Object.
Service Defined in System Services Policy Created when a service is marked as defined in the Medium
System Services policy.
Service Startup Changed in System Created when a service startup is marked as changed Medium
Services Policy in the System Services policy.
Service Undefined in System Services Created when a service is undefined from the System Medium
Policy Services policy.
Shut Down the Computer When the Created when the Shut Down the Computer When the Medium
Security Audit Log is Full Policy Changed Security Audit Log is Full setting is changed in a Group
Policy Object.
Shut Down the System Policy Changed Created when the Shut Down the System setting is Medium
Shutdown: Allow System to be Shut Down Created when the Allow System to be Shut Down Medium
Without Having to Log On Policy Changed Without Having to Log On setting is changed in a Group
Policy Object.
Shutdown: Clear Virtual Memory Pagefile Created when the Clear Virtual Memory Pagefile When Medium
Policy Changed System Shuts Down setting is changed in a Group
Policy Object.
47
Events

Starter GPO Computer Setting Changed Created when a Computer Configuration policy setting Medium
is changed for a Starter GPO.
Starter GPO User Setting Changed Created when a User Configuration policy setting is Medium
changed for a Starter GPO.
Store Passwords Using Reversible Created when the Computer policy Store Passwords Medium
Encryption Policy Changed Using Reversible Encryption setting is changed in a
Synchronize Directory Service Data Policy Created when the Synchronize Directory Service Data Medium
System Cryptography: Force Strong Key Created when the System Cryptography: Force Strong Medium
Protection for User Keys Stored on the Key Protection For User Keys Stored On The Computer
Computer Policy Changed setting is changed in a Group Policy Object.
System Cryptography: Use FIPS Created when the System Cryptography: Use FIPS Medium
Compliant Algorithms for Encryption, Compliant Algorithms For Encryption, Hashing, and
Hashing, and Signing Policy Changed Signing setting is changed in a Group Policy Object.
System Objects: Default Owner for Created when the System Objects: Default Owner For Medium
Objects Created by Members of the Objects Created By Members Of The Administrators
Administrators Group Policy Changed Group setting is changed in a Group Policy Object.
System Objects: Require Case Created when the System Objects: Require Case Medium
Insensitivity for Non-Windows Insensitivity For Non-Windows Subsystems setting is
Subsystems Policy Changed changed in a Group Policy Object.
System Objects: Strengthen Default Created when the System Objects: Strengthen Default Medium
Permissions of Global System Objects Permissions Of Global System Objects setting is
(e.g. Symbolic Links) Policy Changed changed in a Group Policy Object.
System Objects: Strengthen Default Created when the System Objects: Strengthen Default Medium
Permissions of Internal System Objects Permissions Of Internal System Objects setting is
(e.g. Symbolic Links) Policy Changed changed in a Group Policy Object.
System Settings: Optional Subsystems Created when the System Settings: Optional Medium
Policy Changed Subsystems setting is changed in a Group Policy
Object.
System Settings: Use Certificate Rules on Created when the System Settings: Use Certificate Medium
Windows Executables for Software Rules on Windows Executables for Software Restriction
Restriction Policies Policy Changed Policies setting is changed in a Group Policy Object.
System: Audit IPsec Driver Changed Created when the System: Audit IPsec Driver security Medium
System: Audit Other System Events Created when the System: Audit Other System Events Medium
Changed security setting is changed in a Group Policy Object.
System: Audit Security State Change Created when the System: Audit Security State Change Medium
Changed security setting is changed in a Group Policy Object.
System: Audit Security System Extension Created when the System: Audit Security System Medium
Changed Extension security setting is changed in a Group Policy
Object.
System: Audit System Integrity Changed Created when the System: Audit System Integrity Medium
security setting is changed in a Group Policy Object.
Take Ownership of Files or Other Objects Created when the Take Ownership of Files or Other Medium
Policy Changed Objects setting is changed in a Group Policy Object.
Trusted People Added Created when a Trusted People certificate is added to a Medium
Trusted People Changed Created when a Trusted People certificate is changed Medium
48
Events

Trusted People Removed Created when a Trusted People certificate is removed Medium
from a Group Policy Object.
Unsigned Non-Driver Installation Behavior Created when the Unsigned Non-Driver Installation Low
Policy Changed Behavior setting is changed in a Group Policy Object.
User Account Control: Admin Approval Created when the User Account Control: Admin Medium
Mode for the Built-in Administrator Approval Mode for the Built-in Administration Account
Account policy is changed in a Group Policy Object.
User Account Control: Allow UIAccess Created when the User Account Control: Allow Medium
Applications to Prompt for Evaluation UIAccess Applications to Prompt for Evaluation Without
Without Using the Secure Desktop Using the Secure Desktop policy is changed in a Group
Policy Object.
User Account Control: Behavior of the Created when the User Account Control: Behavior of Medium
Elevation Prompt for Administrators in the Elevation Prompt for Administrators in Admin
Admin Approval Mode Approval Mode policy is changed in a Group Policy
Object.
User Account Control: Behavior of the Created when the User Account Control: Behavior of Medium
Elevation Prompt for Standard Users the Elevation Prompt for Standard Users policy is
User Account Control: Detect Application Created when the User Account Control: Detect Medium
Installations and Prompt for Elevation Application Installations and Prompt for Elevation policy
User Account Control: Only Elevate Created when the User Account Control: Only Elevate Medium
Executables that are Signed and Validated Executables that are Signed and Validated policy is
User Account Control: Only Elevate Created when the User Account Control: Only Elevate Medium
UIAccess Applications that are Installed in UIAccess Applications that are Installed in Secure
Secure Locations Locations policy is changed in a Group Policy Object.
User Account Control: Run All Created when the User Account Control: Run All Medium
Administrators in Admin Approval Mode Administrators in Admin Approval Mode policy is
User Account Control: Switch to the Created when the User Account Control: Switch to the Medium
Secure Desktop When Prompting for Secure Desktop When Prompting for Elevation policy is
Elevation changed in a Group Policy Object.
User Account Control: Virtualize File and Created when the User Account Control: Virtualize File Medium
Registry Write Failures to Per-User and Registry Write Failures to Per-User Locations
Locations policy is changed in a Group Policy Object.
User Administrative Template Setting Created when a setting associated with a User Medium
Changed Administrative Template is enabled, changed, or
disabled.
User Application Data Folder Redirection Created when Settings properties of the Application Medium
Options Changed Data policy are changed in the Windows Settings
Folder Redirection Policies.
User Application Data Folder Redirection Created when Target properties of the Application Data Medium
Target Path Changed policy are changed in the Windows Settings Folder
Redirection Policies.
User Contacts Folder Redirection Options Created when Settings properties of the Contacts policy Medium
Changed are changed in the Windows Settings Folder
User Contacts Folder Redirection Target Created when Target properties of the Contacts policy Medium
Path Changed are changed in the Windows Settings Folder
49
Events

User Credential Roaming Added Created when user credential roaming is added to a Medium
User Credential Roaming Changed Created when changes are made to user credential Medium
roaming in a Group Policy Object.
User Credential Roaming Options Created when the user credential roaming options are Medium
User Credential Roaming Removed Created when user credential roaming is removed from Medium
User Desktop Folder Redirection Options Created when Settings properties of the Desktop policy Medium
User Desktop Folder Redirection Target Created when Target properties of the Desktop policy Medium
User Downloads Folder Redirection Created when Settings properties of the Downloads Medium
Options Changed policy are changed in the Windows Settings Folder
User Downloads Folder Redirection Created when Target properties of the Downloads Medium
User Favorites Folder Redirection Options Created when Settings properties of the Favorites Medium
Changed policy are changed in the Windows Settings Folder
User Favorites Folder Redirection Target Created when Target properties of the Favorites policy Medium
User Group Policy Preference Setting Created when a user preference in a group policy is Medium
Changed enabled, changed, or disabled.
NOTE: Group policy preferences are available in
Windows 2008 Group Policy Editor.
NOTE: This event is not available in earlier versions of
Windows server.
User Group Policy Script setting changed Created when a computer startup/shutdown script in a Medium
group policy is added, changed, or removed.
User Internet Explorer Maintenance Created when the Automatic Configuration property of Medium
Automatic Browser Configuration Auto- the Automatic Browser Configuration policy is changed
config Option Changed in the Windows Settings Internet Explorer®
Maintenance Connections policies.
User Internet Explorer Maintenance Created when the Automatically Configure Every xx Medium
Automatic Browser Configuration Auto- Minutes property of the Automatic Browser
config Time Changed Configuration policy is changed in the Windows
Settings Internet Explorer Maintenance Connection
policies.
User Internet Explorer Maintenance Created when the Auto-config URL property of the Medium
Automatic Browser Configuration Auto- Automatic Browser Configuration policy is changed in
config URL Changed the Windows Settings Internet Explorer Maintenance
Connections policies.
User Internet Explorer Maintenance Created when the Automatic Detect property of the Medium
Automatic Browser Configuration Auto- Automatic Browser Configuration policy is changed in
detect Option Changed the Windows Settings Internet Explorer Maintenance
50
Events

User Internet Explorer Maintenance Created when the Auto-proxy URL property of the Medium
Automatic Browser Auto-proxy URL Automatic Browser Configuration policy is changed in
Changed the Windows Settings Internet Explorer Maintenance
User Internet Explorer Maintenance Created when the User Internet Explorer Maintenance Medium
Browser Title Changed Browser Title setting is changed.
User Internet Explorer Maintenance Created when the Remove Old Dial-up Connections Medium
Connection Delete Existing Option property of the Connection Settings policy is changed in
Changed the Windows Settings Internet Explorer Maintenance
User Internet Explorer Maintenance Created when Import Settings property of the Medium
Connections Settings Import Option Connection Settings policy is changed in the Windows
Changed Settings Internet Explorer Maintenance Connections
policies.
User Internet Explorer Maintenance Created when the Content Ratings property in the Medium
Content Ratings Option Changed Security Zones and Content Ratings policy is changed
in the Windows Settings Internet Explorer Maintenance
Security policies.
User Internet Explorer Maintenance Created when the Enable Trusted Publisher Lockdown Medium
Enable Trusted Publisher Lockdown property in the Authenticode Settings policy is changed
Option Changed in the Windows Settings Internet Explorer Maintenance
Security policies.
User Internet Explorer Maintenance Created when the Customize Home Page property in Medium
Important URLs Home Page URL the Important URLs policy is changed in the Windows
Changed Settings Internet Explorer Maintenance URLs policies.
User Internet Explorer Maintenance Created when the group policy setting for User Internet Medium
Important URLs Online Support URL Maintenance Important URLs Help URL is changed.
Changed
User Internet Explorer Maintenance Created when the Customize Search Bar property in Medium
Important URLs Search Bar URL the Important URLs policy is changed in the Windows
Changed Settings Internet Explorer Maintenance URLs policies.
User Internet Explorer Maintenance Large Created when the Large Animated Logo Bitmap Medium
Animated Logo Changed property of the Custom Logo policy is changed in the
Windows Settings Internet Explorer Maintenance
Browser User Interface policies.
User Internet Explorer Maintenance Large Created when the Large Static Logo Bitmap property of Medium
Static Logo Changed the Custom Logo policy is changed in the Windows
Settings Internet Explorer Maintenance Browser User
Interface policies.
User Internet Explorer Maintenance Created when the Program Settings policy is changed Medium
Program Settings Option Changed in the Windows Settings Internet Explorer Maintenance
Programs policies.
User Internet Explorer Maintenance Proxy Created when the FTP proxy URL property of the Proxy Medium
Settings Configuration FTP Proxy Settings policy is changed in the Windows Settings
Changed Internet Explorer Maintenance Connection policies.
User Internet Explorer Maintenance Proxy Created when the Gopher proxy URL property of the Medium
Settings Configuration Gopher Proxy Proxy Settings policy is changed in the Windows
Changed Settings Internet Explorer Maintenance Connection
policies.
User Internet Explorer Maintenance Proxy Created when the Secure proxy URL property of the Medium
Settings Configuration Secure Proxy Proxy Settings policy is changed in the Windows
Changed Settings Internet Explorer Maintenance Connection
policies.
51
Events

User Internet Explorer Maintenance Proxy Created when the HTTP proxy URL property of the Medium
Settings HTTP Proxy Changed Proxy Settings policy is changed in the Windows
policies.
User Internet Explorer Maintenance Proxy Created when the Exceptions property of the Proxy Medium
Settings Proxy Exceptions Changed Settings policy is changed in the Windows Settings
Internet Explorer Maintenance Connection policies.
User Internet Explorer Maintenance Proxy Created when the Socks proxy URL property of the Medium
Settings Socks Proxy Changed Proxy Settings policy is changed in the Windows
policies.
User Internet Explorer Maintenance Created when the Security Zones and Privacy property Medium
Security Zones and Privacy Customization in the Security Zones and Content Ratings policy is
Option Changed changed in the Windows Settings Internet Explorer
Maintenance Security policies.
User Internet Explorer Maintenance Small Created when the Small Animated Logo Bitmap Medium
Animated Logo Changed property of the Custom Logo policy is changed in the
User Internet Explorer Maintenance Small Created when the Small Static Logo Bitmap property of Medium
Static Logo Changed the Custom Logo policy is changed in the Windows
Settings Internet Explorer Maintenance Browser User
Interface policies.
User Internet Explorer Maintenance Created when the Background property of the Browser Medium
Toolbar Background Bitmap Changed Toolbar Customizations policy is changed in the
User Internet Explorer Maintenance Created when the Buttons property of the Browser Medium
Toolbar Buttons Changed Toolbar Customizations policy is changed in the
User Internet Explorer Maintenance URLs Created when the Favorites property in the Favorites Medium
Browser Favorites List Changed and Links policy is changed in the Windows Settings
Internet Explorer Maintenance URLs policies.
User Internet Explorer Maintenance URLs Created when the Links property in the Favorites and Medium
Browser Links List Changed Links policy is changed in the Windows Settings
Internet Explorer Maintenance URLs policies.
User Internet Explorer Maintenance URLs Created when the Delete Existing Channels option in Medium
Favorites and Links Delete Existing the Favorites and Links policy is changed in the
Channels Option Changed Windows Settings Internet Explorer Maintenance URLs
policies.
User Internet Explorer Maintenance URLs Created when the Delete Existing Favorites and Links Medium
Favorites and Links Delete Existing option in the Favorites and Links policy is changed in
Favorites Option Changed the Windows Settings Internet Explorer Maintenance
URLs policies.
User Internet Explorer Maintenance URLs Created when the Place Favorites and Links at the Top Medium
Favorites and Links Top of List Option of the List option in the Favorites and Links policy is
Changed changed in the Windows Settings Internet Explorer
Maintenance URLs policies.
User Internet Explorer Maintenance User Created when the User Agent String policy is changed Medium
Agent String Changed in the Windows Settings Internet Explorer Maintenance
Connection policies.
52
Events

User Links Folder Redirection Options Created when Settings properties of the Links policy Medium
Redirection policies.
User Links Folder Redirection Target Path Created when Target properties of the Links policy are Medium
Changed changed in the Windows Settings Folder Redirection
policies.
User Music Folder Redirection Options Created when Settings properties of the Music policy Medium
User Music Folder Redirection Target Path Created when Target properties of the Music policy are Medium
Changed changed in the Windows Settings Folder Redirection
policies.
User My Documents Folder My Pictures Created when My Pictures Settings properties of the My Medium
Preferences Changed Documents policy are changed in the Windows Settings
Folder Redirection policies.
User My Documents Folder Redirection Created when Settings (other than My Pictures) Medium
Options Changed properties of the My Documents policy are changed in
the Windows Settings Folder Redirection policies.
User My Documents Folder Redirection Created when Target properties of the My Documents Medium
User Pictures Folder Redirection Options Created when Settings properties of the Pictures policy Medium
User Pictures Folder Redirection Target Created when Target properties of the Pictures policy Medium
User Public Key Policies Autoenrollment Created when any properties of Autoenrollment Medium
Settings Changed Settings in the User Configuration Public Key Policies
Enterprise Trust list is changed.
User Public Key Policies Enterprise Trust Created when a certificate is imported into the User Medium
List Added Configuration Public Key Policies Enterprise Trust.
User Public Key Policies Enterprise Trust Created when a certificate in the User Configuration Medium
List Changed Public Key Policies Enterprise Trust list is changed.
User Public Key Policies Enterprise Trust Created when a certificate in the User Configuration Medium
List Removed Public Key Policies Enterprise Trust list is removed.
User Saved Games Folder Redirection Created when Settings properties of the Saved Games Medium
User Saved Games Folder Redirection Created when Target properties of the Saved Games Medium
User Searches Folder Redirection Options Created when Settings properties of the Searches Medium
Changed policy are changed in the Windows Settings Folder
User Searches Folder Redirection Target Created when Target properties of the Searches policy Medium
User Software Installation Policy Added Created when a User Software Installation Policy is Medium
added to User Configuration in Software Restriction
policies.
53
Events

User Software Installation Policy Changed Created when a User Software Installation Policy is Medium
Changed in the User Configuration in Software
User Software Installation Policy Created when a User Software Installation Policy is Medium
Removed deleted from the User Configuration in Software
User Software Restriction Basic User Created when a Basic User Hash Rule is added to User Medium
Hash Rule Added Configuration Software Restriction policies.
User Software Restriction Basic User Created when a Basic User Hash Rule is changed in Medium
Hash Rule Changed User Configuration Software Restriction policies.
User Software Restriction Basic User Created when a Basic User Hash Rule is removed from Medium
Hash Rule Removed User Configuration Software Restriction policies.
User Software Restriction Basic User Path Created when a Basic User Path Rule is added to User Medium
Rule Added Configuration Software Restriction policies.
User Software Restriction Basic User Path Created when a Basic User Path Rule is changed in Medium
Rule Changed User Configuration Software Restriction policies.
User Software Restriction Basic User Path Created when a Basic User Path Rule is removed in Medium
Rule Removed User Configuration Software Restriction.
User Software Restriction Basic User Created when a Basic User Zone Rule is added to User Medium
Zone Rule Added Configuration Software Restriction policies.
User Software Restriction Basic User Created when a Basic User Zone Rule is changed in Medium
Zone Rule Changed User Configuration Software Restriction policies.
User Software Restriction Basic User Created when a Basic User Zone Rule is removed in Medium
Zone Rule Removed User Configuration Software Restriction.
User Software Restriction Designated File Created when the Designated File Types policy is Medium
Types Changed changed in the Software Restriction Policies.
User Software Restriction Disallowed Created when a Disallowed level Certificate Rule is Medium
Rules.
Rules.
Additional Rules.
User Software Restriction Disallowed Created when a Disallowed level Hash Rule is added to Medium
Hash Rule Added the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Created when a Disallowed level Hash Rule is changed Medium
Hash Rule Changed in the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Created when a Disallowed level Hash Rule is removed Medium
Hash Rule Removed from the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Path Created when a Disallowed level Path Rule is added to Medium
Rule Added the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Path Created when a Disallowed level Path Rule is changed Medium
Rule Changed in the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Path Created when a Disallowed level Path Rule is removed Medium
Rule Removed from the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Created when a Disallowed level Zone Rule is added to Medium
Zone Rule Added the Software Restriction Policies Additional Rules.
54
Events

User Software Restriction Disallowed Created when a Disallowed level Zone Rule is changed Medium
Zone Rule Changed in the Software Restriction Policies Additional Rules.
User Software Restriction Disallowed Created when a Disallowed level Zone Rule is removed Medium
Zone Rule Removed from the Software Restriction Policies Additional Rules.
User Software Restriction Enforcement Created when an Enforcement Policy Applicable Files Medium
Files Changed option is changed in the Software Restriction policies.
User Software Restriction Enforcement Created when an Enforcement Policy Applicable Users Medium
Users Changed option is changed in the Software Restriction policies.
User Software Restriction Policies Default Created when the default security level in the User Medium
Security Level Changed Configuration Software Restriction Policies Security
Levels folder is changed.
User Software Restriction Trusted Created when the Trusted Publishers policy is changed Medium
Publishers Changed in the Software Restriction policies.
User Software Restriction Unrestricted Created when an Unrestricted level Certificate Rule is Medium
Rules.
Rules.
Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Hash Rule is added Medium
Hash Rule Added to the Software Restriction Policies Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Hash Rule is Medium
Hash Rule Changed changed in the Software Restriction Policies Additional
Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Hash Rule is Medium
Hash Rule Removed removed from the Software Restriction Policies
Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Path Rule is added Medium
Path Rule Added to the Software Restriction Policies Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Path Rule is Medium
Path Rule Changed changed in the Software Restriction Policies Additional
Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Path Rule is Medium
Path Rule Removed removed from the Software Restriction Policies
Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Zone Rule is added Medium
Zone Rule Added to the Software Restriction Policies Additional Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Zone Rule is Medium
Zone Rule Changed changed in the Software Restriction Policies Additional
Rules.
User Software Restriction Unrestricted Created when an Unrestricted level Zone Rule is Medium
Zone Rule Removed removed from the Software Restriction Policies
Additional Rules.
User Start Menu Folder Redirection Created when Settings properties of the Start Menu Medium
55
Events

User Start Menu Folder Redirection Target Created when Target properties of the Start Menu policy Medium
User Videos Folder Redirection Options Created when Settings properties of the Videos policy Medium
User Videos Folder Redirection Target Created when Target properties of the Videos policy are Medium
Path Changed changed in the Windows Settings Folder Redirection
policies.
Wireless Network Policy Added Created when a Wireless Network policy is added to the Medium
Computer Configuration Group Policy.
Wireless Network Policy Changed Created when a Wireless Network policy in the Medium
Computer Configuration Group Policy is changed.
Wireless Network Policy Removed Created when a Wireless Network policy is removed Medium
from the Computer Configuration Group Policy.
Group Policy Object

Table 18. Group Policy Object events

DACL Changed on Group Policy Object Created when a DACL is changed on a group policy High
object.
NOTE: Change Auditor access control list (ACL)
events (discretionary access control list (DACL) and
system access control list (SACL) changes), will not
report inherited access control entry (ACE) changes.
This event does NOT report inherited ACL changes.
Failed Group Policy Container Access Created when access to a group policy container is Medium
(Change Auditor Protection) denied because it is locked down using the GPO
protection feature of Change Auditor.
Failed Starter Group Policy Container Created when access to a Starter GPO is denied Medium
Access (Change Auditor Protection) because it is locked down using the GPO protection
feature of Change Auditor.
Group Policy Block Inheritance Setting Created when the block inheritance setting of a group High
Changed on Domain policy linked to a domain is changed.
Group Policy Block Inheritance Setting Created when the block inheritance setting of a group High
Changed on OU policy linked to an OU is changed.
Group Policy Block Inheritance Setting Created when the blocked inheritance setting on a High
Changed on Site group policy linked to a site is changed.
Group Policy Disable Computer Created when the disable computer configuration flag Medium
Configuration Flag Changed is changed.
Group Policy Disable User Configuration Created when the disable user configuration flag is Medium
Flag Changed changed.
Group Policy Disabled Setting on Domain Created when the disabled setting of a group policy High
Changed linked to a domain is changed.
Group Policy Disabled Setting on OU Created when the disabled setting of a group policy Medium
Changed linked to an OU is changed.
56
Events
Table 18. Group Policy Object events

Group Policy Disabled Setting on Site Created when the disabled setting of a group policy High
Changed linked to a site is changed.
Group Policy Link Added to OU Created when a group policy is associated with an OU. High
Group Policy Link Added to Site Created when a group policy link is associated with a High
site.
Group Policy Link Removed from OU Created when a group policy link is disassociated from High
an OU.
Group Policy Link Removed from Site Created when a group policy link is disassociated from High
a site.
Group Policy Link Settings Modified Created when a group policy linked to an Medium
organizational unit has its flags attribute modified.
Group Policy Linked Created when a group policy is linked to a domain. High
Group Policy No Override Setting Created when the no override setting of a group policy High
Changed on Domain linked to a domain is changed.
Changed on OU linked to an OU is changed.
Changed on Site linked to a site is changed.
Group Policy Object Added Created when a group policy container is added to the High
policies container.
Group Policy Object Removed Created when a group policy container is removed from High
the policies container.
Group Policy Object Renamed Created when a group policy object is renamed. High
Group Policy Unlinked Created when a group policy link is detached from a High
domain.
Group Policy WMI Filter Changed Created when the gPCWQLFilter attribute (WMI filter) Medium
of the objectClass=groupPolicyContainer is changed.
Linked Group Policy on Domain Changed Created when a group policy setting that is attached to High
a domain is changed.
Linked Group Policy on OU Changed Created when a group policy setting that is attached to Medium
an OU is changed.
Linked Group Policy on Site Changed Created when a group policy setting that is attached to High
the site is changed.
Owner Changed on Group Policy Object Created when the owner is changed for a group policy High
object.
Starter GPO Created Created when a Starter GPO is created. Medium
Starter GPO Removed Created when a Starter GPO is removed. Medium
IP Security
Table 19. IP Security events

IP Security Filter Action Created Created when a new IP Security Filter Action is Medium
created.
IP Security Filter Action Deleted Created when an IP Security Filter Action is removed. Medium
57
Events
Table 19. IP Security events

IP Security Filter Action Option Changed Created when an IP Security Filter Action Security Medium
option is changed.
IP Security Filter Action Security Method Created when an IP Security Filter Action Security Medium
Changed Method is changed.
IP Security Filter List Created Created when a new IP Security Filter List is created. Medium
IP Security Filter List Deleted Created when an IP Security Filter List is removed. Medium
IP Security Filter List Option Changed Created when an IP Security Filter List option is Medium
changed.
IP Security Policy Created Created when a new IP Security setting is created in a Medium
domain.
IP Security Policy Deleted Created when an IP Security setting is deleted from a Medium
domain.
IP Security Policy Key Exchange Settings Created when one or more key exchange settings are Medium
Changed changed in an IP Security Policy.
IP Security Policy Option Changed Created when one or more options are changed in an Medium
IP Security Policy.
IP Security Rule Created Created when an IP Security Rule is created. Medium
IP Security Rule Deleted Created when an IP Security Rule is deleted. Medium
IP Security Rule Filter Action Changed Created when the Filter Action of an IP Security Rule is Medium
changed.
IP Security Rule Filter List Changed Created when the Filter List of an IP Security Rule is Medium
changed.
IP Security Rule Option Changed Created when one or more options are changed in an Medium
IP Security Rule.
Rule Added to IP Security Policy Rule List Created when a rule is added (checked) to the IP Medium
Security Rule list of an IP Security Policy.
Rule Removed from IP Security Policy Created when a rule is removed (cleared) from the IP Medium
Rule List Security Rule list of an IP Security Policy.
NETLOGON Service
Table 20. NETLOGON Service events

NETLOGON AutoSiteCoverage Flag Created when the AutoSiteCoverage flag is changed. Medium
Changed
NETLOGON CloseSiteTimeout Parameter Created when the CloseSiteTimeout value is changed. Medium
Changed
NETLOGON Diagnostic Logging Created when the diagnostic log level for the Medium
Parameter Changed NETLOGON service is changed.
NETLOGON DnsAvoidRegisterRecords Created when the contents of the Medium
Parameter Changed DnsAvoidRegisterRecords registry entry is changed.
NETLOGON GcSiteCoverage Parameter Created when the GcSiteCoverage registry entry is Medium
Changed changed.
NETLOGON LdapSrvPriority Parameter Created when the LdapSrvPriority registry entry is Medium
Changed added, removed, or changed.
58
Events
Table 20. NETLOGON Service events

NETLOGON LdapSrvWeight Parameter Created when the LdapSrvWeight value is changed. Medium
Changed
NETLOGON SiteCoverage Parameter Created when the contents of the SiteCoverage registry Medium
Changed entry is changed.
NETLOGON SiteName Parameter Created when the SiteName registry entry is added, Medium
Changed removed, or changed.
NTDS Service
Table 21. NTDS Service events

NTDS Default TTL Changed Created whenever the default TTL is changed. Low
NTDS Garbage Collection Period Created whenever the garbage collection period is Low
Changed changed.
NTDS Minimum TTL Changed Created whenever the minimum TTL is changed. Low
NTDS TCP/IP Port Assignment Changed Created when the NTDS RPC TCP/IP port assignment Low
is changed.
NTDS Tombstone Lifetime Setting Created whenever the tombstone lifetime is altered. Low
Changed
Organizational Unit (OU)

Table 22. Organizational Unit (OU) events

Alternate UPN Suffix Added to OU Created when an entry is added to the list of alternate Medium
user principal name (UPN) suffixes available for user
names.
Alternate UPN Suffix Removed from OU Created when an entry is removed from the list of Medium
alternate user principal name (UPN) suffixes available
for user names.
DACL Changed on OU Object Created when the DACL is changed on an OU object. High
Domain Controller Added to OU Created when a domain controller is added to an OU. High
Domain Controller Removed from OU Created when a domain controller is removed from an High
OU.
OU Group Policy Order Changed Created when the list of group policies linked to an Medium
organizational unit is re-ordered.
Subordinate OU Added Created when an OU is added to another OU. Medium
Subordinate OU Removed Created when an OU is removed from another OU. Medium
Subordinate OU Renamed Created when a subordinate OU is renamed. Medium
59
Events
Replication Transport
Table 23. Replication Transport events

Bridge All Site Links Option Changed Created when the Bridge all site links check box on the Medium
replication transport property page is changed.
Ignore Link Schedules Option Changed Created when the Ignore schedules check box on the Medium
replication transport property page is changed.
Irregular domain replication activity This event identifies replication behavior that may High
detected indicate that DCSync is being used to retrieve
password data through domain replication.
Irregular requests can include:
• Replication activity from the same source and
target computer.
• Replication activity that is initiated by a user
account instead of a computer account.
As an example, DCSync is a command within Mimikatz
that can simulate the behaviour of a Domain Controller
and make replication requests. This activity can result
in someone gaining unauthorized access to user
credentials. The stolen credentials can then be used to
create a golden ticket or silver ticket and can be used
for pass-the-hash and overpass-the-hash scenarios.
This event identifies replication behavior that may
indicate that DCSync is being used to compromise the
security of your network.
Schema Configuration
Table 24. Schema Configuration events

Attribute Added to Optional Attributes Created when a new attribute is added to the optional High
attributes for a class object in the schema.
Attribute Removed from Optional Created when an attribute is removed from the Optional High
Attributes Attributes for a class object in the schema.
Class Removed from Auxiliary Classes in Created when a class is removed from auxiliaryClass. High
Schema
Class Removed from Possible Superiors Created when a class is removed from possSuperiors. High
in Schema
New Class Added to Auxiliary Classes in Created when a new class is added to auxiliaryClass. High
Schema
New Class Added to Possible Superiors in Created when a new class is added to possSuperiors. High
Schema
Schema Attribute Added Created when a new attribute is added to the schema. High
Schema Attribute Confidential flag Created when an Attribute Confidential flag is changed. High
changed
Schema Attribute defaultHidingValue Created when the defaultHidingValue is changed. High
Changed
Schema Attribute GC Flag Changed Created when the GC flag for an attribute is changed. High
60
Events
Table 24. Schema Configuration events

Schema Attribute Indexing Flag Changed Created when the indexing flag for an attribute is High
changed.
Schema Attribute RODC Filtered flag Created when an Attribute RODC Replication flag is High
changed changed.
Schema Class Added Created when a new class is added to the schema. High
Schema Class Default Security Descriptor Created when the default security descriptor for a class High
Changed is changed.
Schema Object Disabled Created when a schema object is marked disabled. High
Schema Object Enabled Created when a schema object is marked enabled. High
Schema Version Changed Created when the schema version number changes. High
Site Configuration
Table 25. Site Configuration events

Automatic Intersite Topology Generation Created when the intersite topology generation role is Medium
Role Changed assigned to another DC.
Automatic Intersite Topology Generator for Created when intersite topology generation is disabled High
the Site has been Disabled for a site.
Automatic Intersite Topology Generator for Created when intersite topology generation is enabled Medium
the Site has been Enabled for a site.
Automatic Intrasite Topology Generation Created when intrasite topology generation is enabled Medium
for the Site has been Enabled for a site.
Automatic Intrasite Topology Generator for Created when intrasite topology generation is disabled High
the Site has been Disabled for a site.
Default Site Query Policy Object Changed Created when the default query policy object reference Medium
for a site is changed.
Domain Controller Moved to Site Created when a Domain controller is moved to a site. Medium
Linked Query Policy Object for Site Created when the query policy object referred to by a Medium
Changed site is changed.
Site Group Policy Order Changed Created when the list of group policies linked to a site is Medium
re-ordered.
Site License Server Changed Created when the licensing server for the site is Medium
changed.
Site Link Bridge Configuration

Table 26. Site Link Bridge Configuration events

Site Link Added to Site Link Bridge Created when a site link has been added to a site link Medium
bridge.
Site Link Removed from Site Link Bridge Created when a site link has been removed from a site High
link bridge.
61
Events
Site Link Configuration
Table 27. Site Link Configuration events

Inter-site Compression Setting Changed Created when the inter-site compression setting for a Medium
site link is changed.
Interval Changed Created when a change is detected in the Interval High
attribute of a site link.
Link Cost Changed Created when a change is detected in the cost attribute High
of a site link.
Schedule Changed Created when a change is detected in the schedule High
attribute of a site link.
Site Added to Site List Created when a site is added to a site list. Medium
Site Removed from Site List Created when a site is removed from a site list. High
Subnets
Table 28. Subnets event

Subnet Site Assignment Changed Created when the site association of a subnet is Medium
changed
SYSVOL
Table 29. SYSVOL events

SYSVOL Folder Access Rights Changed Created when access to the SYSVOL folder has been Medium
changed via Access Control Settings for SYSVOL or
Share Permissions.
SYSVOL Folder Auditing Changed Created when the SACL on the SYSVOL folder has Medium
been changed.
SYSVOL Folder Ownership Changed Created when ownership of the SYSVOL folder has Medium
been changed.
62
Events
3
Log Events
When event logging for Active Directory is enabled in Change Auditor, events will also be written to the InTrust® for
AD event log. In addition, when event logging for ADAM (AD LDS) is enabled in Change Auditor, ADAM events will
be written to the InTrust for ADAM event log. These log events can then be gathered by InTrust and Quest
Knowledge Portal for further processing and reporting.
NOTE: To enable event logging, select Event Logging on the Agent Configuration page (Administration
Tasks tab), and select the type of event logging to enable.
The tables in this section list the log events capture when Active Directory and/or ADAM event logging is enabled.
They are listed in numeric order by event ID based on the event log to which they are recorded:
• InTrust for AD event log
• InTrust for ADAM event Log
InTrust for AD event log

The following table lists the Active Directory events that are recorded to the InTrust for AD event log when Active
Directory event logging is enabled in Change Auditor.
Table 30. InTrust for AD event log events
Event ID Description
1 Attempt to modify AD object was denied by the system
2 Attempt to delete AD object was denied by the system
3 AD object was successfully modified
4 AD object was successfully deleted
5 Attempt to modify AD object was denied by Change Auditor for Active Directory
6 Attempt to delete AD object was denied by Change Auditor for Active Directory
8 Attempt to delete Group Policy was denied by the system
9 Group Policy was successfully modified
10 Group Policy was successfully deleted
11 Attempt to modify Group Policy was denied by Change Auditor for Active Directory
13 Attempt to move AD object was denied by the system
14 AD object was successfully moved
15 Attempt to move AD object was denied by Change Auditor for Active Directory
16 Attempt to create AD object was denied by the system
17 AD object was successfully created
18 Attempt to create AD object was denied by Change Auditor for Active Directory
19 Attempt to create Group Policy was denied by the system
20 Group Policy was successfully created
63
Log Events
21 Attempt to create Group Policy was denied by Change Auditor for Active Directory
22 Attempt to modify a property of AD object was denied by the system
23 Property of AD object was successfully modified
24 Attempt to modify a property of AD object was denied by Change Auditor for Active Directory
25 Heartbeat – Change Auditor for Active Directory is currently active on this computer
26 Protected objects cache update failure
27 Protected objects cache reload
31 AD object was successfully protected
32 AD object protection was successfully removed
33 AD object protection was successfully modified
37 Group Policy was successfully protected
38 Group Policy protection was successfully removed
39 Group Policy protection was successfully modified
40 Attempt to modify AD object security descriptor was denied by the system
41 Attempt to modify AD object ownership was denied by the system
42 Attempt to modify user mailbox access rights was denied by the system
43 AD object security descriptor was successfully modified
44 AD object ownership was successfully changed
45 Attempt to modify user mailbox ownership was denied by the system
46 Attempt to modify AD object security descriptor was denied by Change Auditor for Active
Directory
47 Attempt to modify AD object ownership was denied by Change Auditor for Active Directory
48 User mailbox access rights were successfully changed
49 User mailbox ownership was successfully changed
50 Attempt to modify user mailbox access was denied by Change Auditor for Active Directory
51 Attempt to modify user mailbox ownership was denied by Change Auditor for Active Directory
52 Attempt to modify linked Group Policy objects was denied by the system
53 Linked Group Policy objects were successfully modified
54 Attempt to modify linked Group Policy objects was denied
63 Group Policy Template was successfully modified
64 Attempt to modify Group Policy Template was denied
65 DNS record added
66 DNS record deleted
67 DNS record changed
69 List of excluded accounts was successfully changed
70 Service start failure
71 Group policy backup is not available
72 Group policy backup is now available
74 List of protected attributes was successfully changed
76 Protection group settings was successfully changed
78 Protection group was successfully created
80 Protection group was successfully deleted
82 Protection group was successfully renamed
64
Log Events
84 Audit filter list was successfully changed
85 Event log was cleared
86 Service critical error
87 Account locked out
88 Account unlocked
89 Attempt to unlock user account was denied by the system
90 Attempt to unlock user account was denied by Change Auditor for Active Directory
101 Group member-of added
102 Group member-of removed
151 User member-of added
152 User member-of removed
201 Starter GPO Computer setting changed
202 Starter GPO User setting changed
251 Starter GPO created
252 Starter GPO removed
301 IP Security Filter Action created
302 IP Security Filter Action deleted
303 IP Security Filter Action Option changed
304 IP Security Filter Action Security Method changed
305 IP Security Filter List created
306 IP Security Filter List deleted
307 IP Security Filter List Option changed
308 IP Security Policy created
309 IP Security Policy deleted
310 IP Security Policy Key Exchange Settings changed
311 IP Security Policy Option changed
312 IP Security Rule created
313 IP Security Rule deleted
314 IP Security Rule Filter Action changed
315 IP Security Rule Filter List changed
316 IP Security Rule Option changed
317 Rule added to IP Security Policy Rule List
318 Rule removed from IP Security Policy Rule List
361 Expires after period changed in DNS zone
362 Name server added to DNS zone
363 Name server removed from DNS zone
364 Primary server changed in DNS zone
365 Refresh interval changed in DNS zone
366 Retry interval changed in DNS zone
367 WINS forwarding flag disabled in DNS zone
368 WINS forwarding flag enabled in DNS zone
369 WINS forwarding host list changed in DNS zone
65
Log Events
370 Zone default TTL changed in DNS zone
371 Zone delegation added to DNS zone
372 Zone delegation removed from DNS zone
373 DNS Zone added
374 DNS Zone deleted
401 Attribute added to the optional attributes for a class object in the schema
402 Attribute removed from the optional attributes for a class object in the schema
403 Class removed from auxiliary classes in schema
404 Class removed from possible superiors in schema
405 New class added to auxiliary classes in schema
406 New class added to possible superiors in schema
407 Schema attribute added
408 Schema attribute flag changed
409 Schema class added
410 Schema class default security descriptor changed
411 Schema object changed
412 Schema version changed
413 Schema class deactivated
414 Schema class reactivated
415 Schema attribute deactivated
416 Schema attribute reactivated
501 Computer Software Restriction Basic User Hash Rule added, changed or removed
502 Computer Software Restriction Basic User Path Rule added, changed or removed
503 Computer Software Restriction Basic Zone Rule added, changed or removed
504 Computer Software Restriction Designated File Types changed
505 Computer Software Restriction Disallowed Certificate Rule added, changed or removed
506 Computer Software Restriction Disallowed Hash Rule added, changed or removed
507 Computer Software Restriction Disallowed Path Rule added, changed or removed
508 Computer Software Restriction Disallowed Zone Rule added, changed or removed
509 Computer Software Restriction Enforcement Files option changed
510 Computer Software Restriction Enforcement Users option changed
511 Computer Software Restriction Policies Default Security level changed
512 Computer Software Restriction Trusted Publishers policy changed
513 Computer Software Restriction Unrestricted Certificate Rule added, changed or removed
514 Computer Software Restriction Unrestricted Hash Rule added, changed or removed
515 Computer Software Restriction Unrestricted Path Rule added, changed or removed
516 Computer Software Restriction Unrestricted Zone Rule added, changed or removed
521 Computer Software Installation Policy added, changed or removed
531 Computer Public Key Policies Autoenrollment settings changed
532 Computer Public Key Policies Automatic Certificate Request added, changed or removed
533 Computer Public Key Policies Encrypting File System DRA added, changed or removed
534 Computer Public Key Policies Enterprise Trust List added, changed or removed
66
Log Events
535 Computer Public Key Policies Trusted Root Certification Authority changed
541 User Software Restriction Basic User Hash Rule changed
542 User Software Restriction Basic User Path Rule added, changed or removed
543 User Software Restriction Basic User Zone Rule added, changed or removed
544 User Software Restriction Designated File Types changed
545 User Software Restriction Disallowed Certificate Rule added, changed or removed
546 User Software Restriction Disallowed Hash Rule added, changed or removed
547 User Software Restriction Disallowed Path Rule added, changed or removed
548 User Software Restriction Disallowed Zone Rule added, changed or removed
549 User Software Restriction Enforcement Files option changed
550 User Software Restriction Enforcement Users option changed
551 User Software Restriction Policies Default Security Level changed
552 User Software Restriction Trusted Publishers policy changed
553 User Software Restriction Unrestricted Certificate Rule added, changed or removed
554 User Software Restriction Unrestricted Hash Rule added, changed or removed
555 User Software Restriction Unrestricted Path Rule added, changed or removed
556 User Software Restriction Unrestricted Zone Rule added, changed or removed
581 User Software Installation Policy added, changed or removed
601 User Public Key Policies Autoenrollment Settings changed
602 User Public Key Policies Enterprise Trust List added, changed or removed
InTrust for ADAM event Log

The following table lists the ADAM (AD LDS) events that are recorded to the InTrust for ADAM event log when
ADAM (AD LDS) event logging is enabled.
Table 31. InTrust for ADAM event log events
1 Attempt to modify ADAM object was denied by the system
2 Attempt to delete ADAM object was denied by the system
3 ADAM object was successfully modified
4 ADAM object was successfully deleted
5 Attempt to modify ADAM object was denied by Change Auditor
6 Attempt to modify ADAM object was denied by Change Auditor
13 Attempt to move ADAM object was denied by system
14 ADAM object was successfully moved
15 Attempt to move ADAM object was denied by Change Auditor
16 Attempt to create ADAM object was denied by system
17 ADAM object was successfully created
18 Attempt to create ADAM object was denied by Change Auditor
22 Attempt to modify property of ADAM object was denied by the system
23 Property of ADAM object was successfully modified
67
Log Events
Table 31. InTrust for ADAM event log events
24 Attempt to modify a property of ADAM object was denied by Change Auditor
25 Heartbeat – Change Auditor for ADAM service is currently active on this computer
27 Protected objects cache reload
31 ADAM object was successfully protected
32 ADAM object protection was successfully removed
33 ADAM object protection was successfully modified
40 Attempt to modify ADAM object security descriptor was denied by the system
41 Attempt to modify ADAM object ownership was denied by the system
43 ADAM object security descriptor was successfully modified
44 ADAM object ownership was successfully changed
46 Attempt to modify ADAM object security descriptor was denied
47 Attempt to modify ADAM object ownership was denied
69 List of excluded accounts was successfully changed
70 Service start failure
71 Invalid ADAM instance
74 List of protected attributes was successfully changed
76 Protected attributes list mode was successfully changed
78 Protection group was successfully created
80 Protection group was successfully deleted
82 Protection group was successfully renamed
84 Audit filter list was successfully changed
85 Event log was cleared
86 Service critical error
68
Log Events
About us
Quest creates software solutions that make the benefits of new technology real in an increasingly complex IT
landscape. From database and systems management, to Active Directory and Office 365 management, and cyber
security resilience, Quest helps customers solve their next IT challenge now. Around the globe, more than 130,000
companies and 95% of the Fortune 500 count on Quest to deliver proactive management and monitoring for the
next enterprise initiative, find the next solution for complex Microsoft challenges and stay ahead of the next threat.
Quest Software. Where next meets now. For more information, visit www.quest.com.
Our brand, our vision. Together.

Our logo reflects our story: innovation, community and support. An important part of this story begins with the letter
Q. It is a perfect circle, representing our commitment to technological precision and strength. The space in the Q
itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.
Contacting Quest
For sales or other inquiries, visit www.quest.com/contact.
Technical support resources

Technical support is available to Quest customers with a valid maintenance contract and customers who have trial
versions. You can access the Quest Support Portal at https://support.quest.com.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. The Support Portal enables you to:
• Submit and manage a Service Request.
• View Knowledge Base articles.
• Sign up for product notifications.
• Download software and technical documentation.
• View how-to-videos.
• Engage in community discussions.
• Chat with support engineers online.
• View services to assist you with your product.
69
About Us

ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide

Uploaded by

Copyright:

Available Formats

ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide

Uploaded by

Copyright:

Available Formats

Quest® Change Auditor for Active Directory®

Change Auditor for Active Directory Event Reference Guide

Change Auditor for Active Directory Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Active Directory Database

Event Description Severity

Event Description Severity

Active Directory Federation Services -

Event Description Severity

Active Directory Federation Services -

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Custom AD Object Monitoring

Event Description Severity

Custom Computer Monitoring

Event Description Severity

Event Description Severity

Custom Group Monitoring

Event Description Severity

Custom User Monitoring

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Table 14. Dynamic Access Control events

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Group Policy Item

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity

Event Description Severity