Customers may observe high-severity alerts in Change Auditor indicating that:

“ANONYMOUS LOGON is attempting to modify the Domain Admins group permissions (DACL)”

These alerts can raise concern about a potential security breach or unauthorized access attempt, especially given the sensitivity of the Domain Admins group.

The alert is triggered when an anonymous LDAP connection attempts to perform a modification operation against Active Directory objects—in this case, the Domain Admins group DACL.

Key points:

• The operation originates from an unauthenticated (anonymous) context.
• Active Directory does not allow such modifications, and the attempt is rejected.
• Change Auditor detects this as a high-risk action and reports it.
• The event result shows “Protected”, confirming:
  • The action was blocked
  • No changes were made

This behavior is expected and indicates that:

• Change Auditor is functioning correctly
• Active Directory security controls prevented the modification

Although the attempt was blocked, it is important to identify the source of the anonymous request to rule out misconfiguration or suspicious activity.

1. Identify the Source System

• Review the event details in Change Auditor:
  • Source IP address
  • Originating host or workstation
  • Target Domain Controller

2. Review Domain Controller Security Logs

On the affected Domain Controller, check:

• Event ID 4624 – Logon attempts (look for ANONYMOUS LOGON, Logon Type 3)
• Event ID 4662 – Object access attempts
• Event ID 5136 – Directory object modifications

Correlate timestamps with the Change Auditor alert to identify:

• Source IP
• Calling process (if available)

3. Investigate LDAP Clients and Applications

Review any systems that interact with Active Directory using LDAP:

• Custom scripts
• Monitoring tools
• Third-party applications
• Identity management systems

A misconfigured application may:

• Attempt LDAP binds without credentials
• Default to anonymous authentication

4. Validate Domain Admins Group Permissions

• Confirm the DACL has not changed
• Compare against known baseline or expected permissions
• Ensure no unauthorized ACEs exist

5. Review LDAP Security Configuration

To reduce or prevent similar alerts:

• Disable anonymous binds where possible:
  • Domain Controller: LDAP server signing requirements
• Enable LDAP signing and channel binding
• Enforce secure LDAP (LDAPS)

6. Review Network and Firewall Logs

• Check for LDAP traffic (TCP 389 / 636)
• Identify source systems initiating the connections
• Validate if traffic aligns with expected behavior

Additional Information

• Change Auditor logs all available information provided by Active Directory for this type of event.
• If the event shows “Protected”, no action was successfully executed.
• These alerts typically indicate:
  • Misconfigured applications (most common)
  • Or unexpected/unverified LDAP traffic that should be investigated

Conclusion

This alert does not indicate a successful attack or modification. It confirms that:

• An unauthorized attempt was made using an anonymous LDAP connection
• The action was blocked by Active Directory and detected by Change Auditor

The focus should be on identifying the originating system or application to prevent recurring events and ensure environment security.