Chat now with support
Chat with Support

Change Auditor for Active Directory 7.3 - Event Reference Guide

Introduction

Change Auditor for Active Directory drives the security and control of Microsoft Active Directory by proactively tracking vital Active Directory configuration changes in real time. From GPO and Schema to critical group and operational changes, Change Auditor for Active Directory tracks, audits, reports, and alerts on changes that impact your directory — without the overhead costs of native auditing.

You can also track, audit, and report on Azure Active Directory changes. For more information, see the Change Auditor for Office 365 and Azure Active Directory Auditing User Guide.

In addition to real-time event auditing, you can enable event logging to capture Active Directory or ADAM (AD LDS) events locally in a Windows event log. These event logs can then be collected using InTrust to satisfy long-term storage requirements.

* 
NOTE: Active Directory and ADAM (AD LDS) auditing and event logging are only available when you have licensed Change Auditor for Active Directory. Contact your Sales Representative for more information about obtaining Change Auditor for Active Directory.

This guide lists the events that can be captured by Change Auditor for Active Directory. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Change Auditor for Active Directory Events

Change Auditor for Active Directory Events

This section lists the audited events specific to Change Auditor for Active Directory and each event’s corresponding severity setting. Audited events are listed in alphabetical order by facility:
Active Directory Database
Active Directory Federation Services - Authentication Methods
Active Directory Federation Services - Claims Provider Trusts
Active Directory Federation Services - Endpoints
Active Directory Federation Services - Relying Party Trusts
Active Directory Federation Services - Relying Party Trusts
Dynamic Access Control
Connection Object
Custom AD Object Monitoring
Custom Computer Monitoring
Custom Group Monitoring
Custom User Monitoring
DNS Service
DNS Zone
Domain Configuration
Dynamic Access Control
Forest Configuration
FRS Service
Group Policy Item
Group Policy Object
IP Security
NETLOGON Service
NTDS Service
Organizational Unit (OU)
Replication Transport
Schema Configuration
Site Configuration
Site Link Bridge Configuration
Site Link Configuration
Subnets
SYSVOL
* 
NOTE: To view a complete list of all the Change Auditor for Active Directory events, open the Audit Events page on the Administration Tasks tab in the Change Auditor client. This page contains a list of all the events available for auditing by Change Auditor for Active Directory. It also displays the facility to which the event belongs, the severity assigned to each event, if the event is enabled or disabled, and the type of Change Auditor for Active Directory license that is required to capture each event.
* 
IMPORTANT: When expecting large numbers of events, it may be necessary to increase the Max Events per Connection setting in the Change Auditor client (Agent Configuration on the Administration Tasks tab) to avoid an ever-increasing backlog of events waiting to be sent from the agent to the coordinator database.

Active Directory Database

 
Table 1. Active Directory Database events
Event
Description
Severity

Active Directory database file access rights changed

Created when access to the NTDS.dit file has been changed through Access Control Settings.

High

Active Directory database file accessed

Created when the NTDS.dit file has been accessed.

High

Active Directory database file attribute changed

Created when NTDS.dit file attributes have been changed.

High

Active Directory database file auditing changed

Created when changes are made to the NTDS.dit auditing list on the domain controller.

High

Active Directory database file central access policy changed

Created when the NTDS.dit file central access policy is changed on the domain controller.

High

Active Directory database file classification changed

Created when the NTDS.dit file classification is changed on the domain controller.

High

Active Directory database file created

Created when the NTDS.dit file is created on a domain controller.

High

Active Directory database file deleted

Created when the NTDS.dit file is deleted on a domain controller.

High

Active Directory database file last write changed

Created when the contents of the NTDS.dit file are written on a domain controller.

High

Active Directory database file moved

Created when the NTDS.dit file is moved on a domain controller.

High

Active Directory database file ownership changed

Created when ownership of the NTDS.dit file has been changed.

High

Active Directory database file renamed

Created when the NTDS.dit file is renamed on a domain controller.

High

Failed Active Directory database access (Change Auditor Protection)

Created when access attempt fails on the NTDS.dit file due to Change Auditor protection.

High

Failed Active Directory database access (NTFS permissions)

Created when access attempt fails on the NTDS.dit file due to NTFS permission.

High

Failed Active Directory database access (Sharing violation)

Created when access attempt fails on the NTDS.dit file due to sharing violation.

High

Active Directory Federation Services - Authentication Methods

 
Table 2. Active Directory Federation Services - Authentication Methods events
Event
Description
Severity

Additional authentication methods changed

Created when authentication methods are changed.

Medium

Additional authentication method registered

Created when authentication methods are registered.

Medium

Additional authentication method unregistered

Created when authentication methods are unregistered.

Medium

Allow additional authentication providers as primary setting changed

Created when additional authentication providers as primary setting is changed.

Medium

Extranet authentication methods changed

Created when extranet authentication methods are changed.

Medium

Intranet authentication methods changed

Created when intranet authentication methods are changed.

Medium

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating