Chat now with support
Chat with Support

Change Auditor for Active Directory 7.1.1 - Event Reference Guide

Introduction

Change Auditor for Active Directory drives the security and control of Microsoft Active Directory by proactively tracking vital Active Directory configuration changes in real time. From GPO and Schema to critical group and operational changes, Change Auditor for Active Directory tracks, audits, reports, and alerts on changes that impact your directory — without the overhead costs of native auditing.

You can also track, audit, and report on Azure Active Directory changes. For more information, see the Change Auditor for Office 365 and Azure Active Directory Auditing User Guide.

In addition to real-time event auditing, you can enable event logging to capture Active Directory or ADAM (AD LDS) events locally in a Windows event log. These event logs can then be collected using InTrust to satisfy long-term storage requirements.

This guide lists the events that can be captured by Change Auditor for Active Directory. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Change Auditor for Active Directory Events

This section lists the audited events specific to Change Auditor for Active Directory and each event’s corresponding severity setting. Audited events are listed in alphabetical order by facility:

Active Directory Database

Active Directory database file access rights changed

Created when access to the NTDS.dit file has been changed through Access Control Settings.

High

Active Directory database file accessed

Created when the NTDS.dit file has been accessed.

High

Active Directory database file attribute changed

Created when NTDS.dit file attributes have been changed.

High

Active Directory database file auditing changed

Created when changes are made to the NTDS.dit auditing list on the domain controller.

High

Active Directory database file central access policy changed

Created when the NTDS.dit file central access policy is changed on the domain controller.

High

Active Directory database file classification changed

Created when the NTDS.dit file classification is changed on the domain controller.

High

Active Directory database file created

Created when the NTDS.dit file is created on a domain controller.

High

Active Directory database file deleted

Created when the NTDS.dit file is deleted on a domain controller.

High

Active Directory database file last write changed

Created when the contents of the NTDS.dit file are written on a domain controller.

High

Active Directory database file moved

Created when the NTDS.dit file is moved on a domain controller.

High

Active Directory database file ownership changed

Created when ownership of the NTDS.dit file has been changed.

High

Active Directory database file renamed

Created when the NTDS.dit file is renamed on a domain controller.

High

Failed Active Directory database access (Change Auditor Protection)

Created when access attempt fails on the NTDS.dit file due to Change Auditor protection.

High

Failed Active Directory database access (NTFS permissions)

Created when access attempt fails on the NTDS.dit file due to NTFS permission.

High

Failed Active Directory database access (Sharing violation)

Created when access attempt fails on the NTDS.dit file due to sharing violation.

High

Active Directory Federation Services - Authentication Methods

Additional authentication methods changed

Created when authentication methods are changed.

Medium

Additional authentication method registered

Created when authentication methods are registered.

Medium

Additional authentication method unregistered

Created when authentication methods are unregistered.

Medium

Allow additional authentication providers as primary setting changed

Created when additional authentication providers as primary setting is changed.

Medium

Extranet authentication methods changed

Created when extranet authentication methods are changed.

Medium

Intranet authentication methods changed

Created when intranet authentication methods are changed.

Medium

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating