Audit Directory Service Changes

This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are:

  • Create
  • Delete
  • Modify
  • Move
  • Undelete


Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
Important: Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit to be generated due to settings on the object class in the schema.

This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track to understand the state of the network policy.

Event volume: High on domain controllers; none on client computers

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2 or Windows Server 2008.

  • 5136: A directory service object was modified.
  • 5137: A directory service object was created.
  • 5138: A directory service object was undeleted.
  • 5139: A directory service object was moved.
  • 5141: A directory service object was deleted.

Scope: 

Computer

Default: 

Not configured

Related content