Change Auditor for Active Directory 7.0.2 - Event Reference Guide

Introduction

Change Auditor drives the security and control of Microsoft Active Directory by proactively tracking vital Active Directory configuration changes in real time. From GPO and Schema to critical group and operational changes, Change Auditor tracks, audits, reports, and alerts on changes that impact your directory — without the overhead costs of native auditing.

You can also track, audit, and report on Azure Active Directory changes. For more information, see the Change Auditor for Office 365 and Azure Active Directory Auditing User Guide.

In addition to real-time event auditing, you can enable event logging to capture Active Directory or ADAM (AD LDS) events locally in a Windows event log. These event logs can then be collected using InTrust to satisfy long-term storage requirements.

This guide lists the events that can be captured by Change Auditor. Separate event reference guides are provided that list the core Change Auditor events (when any Change Auditor license is applied) and the events captured when the different auditing modules are licensed.

Change Auditor Events

This section lists the audited events specific to Change Auditor and each event’s corresponding severity setting. Audited events are listed in alphabetical order by facility:

Configuration Monitoring

Active Directory Share Added

Created when an Active Directory share has been added to a server.

Medium

Active Directory Share Removed

Created when an Active Directory share has been removed from a server.

High

Append Parent Suffixes Option Changed

Created when the append parent suffixes of the primary DNS suffix option is changed.

Medium

Application Partition Replica Added

Created when a DN for an application partition is added to the msDS-hasMasterNCs attribute of an nTDSDSA object.

Medium

Application Partition Replica Removed

Created when a DN for an application partition is removed from the msDS-hasMasterNCs attribute of an nTDSDSA object.

High

Connection DNS Registration Option Changed

Created when the register connection in DNS option on a network connection is changed.

Medium

Connection Object Added

Created when an nTDSConnection object is added to the NTDS Settings container.

Medium

Connection Object Removed

Created when an nTDSConnection object is removed from the NTDS Settings container.

Medium

Connection-specific DNS Suffix Changed

Created when the connection-specific DNS suffix changes.

Medium

Contents of DNS Server List Changed

Created when a DNS server is added or removed from the DNS server list.

Medium

Contents of DNS Suffix List Changed

Created when a suffix is added or removed from the DNS suffix list.

Medium

Contents of WINS Server List Changed

Created when a server is added or removed from the WINS server list.

Medium

Critical Link Failures Allowed Parameter Changed

Created when the CriticalLinkFailuresAllowed parameter on a DC is changed.

Medium

Default Gateway Changed

Created when the default gateway changes on a network connection.

Low

DHCP Disabled

Created when DHCP is disabled on a network connection.

Low

DHCP Enabled

Created when DHCP is enabled on a network connection.

Low

DIT Location Changed

Created when the directory path of the DIT is changed.

Low

Domain Controller Added as Preferred Bridgehead Server

Created when a domain controller is configured as a preferred bridgehead server for a particular replication transport.

Medium

Domain Controller Moved to Another OU

Created when a domain controller is moved to another OU.

Medium

Domain Controller Removed as Preferred Bridgehead Server

Created when a domain controller is removed as a preferred bridgehead server for a particular replication transport.

Medium

Domain Controller Service Pack Applied

Created when a service pack is applied to a domain controller.

Medium

Domain Controller Service Pack Rolled Back

Created when a service pack is removed from a domain controller.

Medium

DS Database Logging and Recover Option Changed

Created when the logging and recovery option of Active Directory is changed.

Low

DS Hierarchy Table Evaluation Interval Changed

Created when the hierarchy table evaluation interval on the DC is changed.

Medium

DS Log File Location Changed

Created when the directory path of the DS log file is changed.

Low

Hotfix Applied

Created when a hot fix is applied.

Medium

Hotfix Rolled Back

Created when a hot fix is removed. (Disabled by Default)

Medium

Intersite Failures Allowed Parameter Changed

Created when the IntersiteFailuresAllowed parameter is changed on a DC.

Medium

IP Deny List Entry Added

Created when an entry is added to the IP deny list of an LDAP query policy object.

Medium

IP Deny List Entry Removed

Created when an entry is removed from the IP deny list of an LDAP query policy object.

Low

IPSEC Settings Changed

Created when the IPSEC settings for a network connection are changed.

Medium

KCC Delay After Startup Changed

Created when the amount of time the KCC delays after startup before re-computing the replication topology is changed.

Medium

KCC Site Generator Failover Interval Changed

Created when the interval after which a new Intersite Topology Generator (ISTG) is nominated if no ISTG identity is updated in the directory is changed.

Medium

KCC Site Generator Renewal Interval Changed

Created when the interval at which the Intersite Topology Generator (ISTG) publishes its identity in the directory is changed.

Medium

KCC Update Interval Changed

Created when the interval at which the KCC on the domain controller runs is changed.

Medium

Kerberos Diagnostic Log Level Changed

Created when the diagnostic log level for the Kerberos service is changed.

Medium

Linked Query Policy for Domain Controller Changed

Created when the lDAPAdminLimits attribute of a query policy object referred to by the querypolicyObject attribute of the nTDSDSA object for the domain controller was changed.

Low

Max Failure Time for Intersite Link Parameter Changed

Created when the MaxFailureTimeForIntersiteLink value is changed on a domain controller.

Medium

Max Failure Time for Non-critical Link Parameter Changed

Created when the Maximum Failure Time value for non-critical links is changed on a domain controller.

Medium

MaxFailureTimeForCritical Link Parameter Changed

Created when the MaxFailureTimeForCriticalLink parameter is changed on a domain controller.

Medium

Maximum Number of DS Threads Changed

Created when the number of threads used by the DS service is changed.

Medium

NetBIOS Setting Changed

Created when the NETBIOS setting on a network connection is changed.

Medium

NIC Added

Created when a NIC is added to the host computer.

Low

NIC Disabled

Created when a NIC is disabled on the host computer.

Medium

NIC Enabled

Created when a NIC is enabled on the host computer.

Medium

NIC Removed

Created when a NIC is removed from the host computer.

Low

Non-critical Link Failures Allowed Flag Changed

Created when the Non-critical Link Failures value is changed on a domain controller.

Low

Preferred Bridgehead Setting Changed

Created when the bridgeheadTransportList attribute of a server is changed.

Medium

Processor Speed Changed

Created when the processor speed of the DC is changed.

Low

Query Policy Link for Domain Controller Changed

Created when the queryPolicyObject attribute of the nTDSDSA is changed.

Low

Query Policy Setting Changed

Created when query policy settings of an existing query policy object have changed.

Low

Raw IP Allowed Protocols List Changed

Created when the contents of the Raw IP Allowed Protocols list are changed.

Medium

Replicator Notify Pause After Modify Delay Changed

Created when the notify pause value is changed on a domain controller.

Medium

Schema Modifications Allowed Flag Changed

Created when a domain controller is configured to allow schema modifications.

High

Static IP Address Changed

Created when the static IP address changes on a network connection.

Low

Subnet Mask Changed

Created when the subnet mask changes on a network connection.

Low

SYSVOL Location Changed

Created when the SYSVOL location is changed on a domain controller.

Low

TCP Allowed Port List Changed

Created when the contents of the TCP Allowed Port list are changed.

Medium

TCP/IP Filtering Changed

Created when the TCP/IP Filtering option is changed on a network connection.

Medium

UDP Allowed Port List Changed

Created when the contents of the UDP Allowed Port list are changed.

Medium

Update DNS on All Adapters Setting Changed

Created when Active Directory’s setting that controls the adapters on which a DC updates DNS is changed.

Medium

Use Connection Suffix in DNS Registration Option Changed

Created when the use this connection’s DNS suffix in DNS registration option is changed.

Medium

Use LMHOSTS Option Changed

Created when the LMHOSTS option on a network connection is changed.

Low

Use of Dynamic DNS Changed

Created when Active Directory’s use of dynamic DNS has been changed.

Medium

Use Primary and Connection Specific Suffixes Flag Changed

Created when the primary and connection-specific suffixes flag changes on a domain controller.

Medium

 

Connection Object

Connection Object From-server Changed

Created when the from-server of a connection object is changed.

Medium

Connection Object Schedule Changed

Created when a change is detected in the schedule attribute of a connection object.

Medium

Connection Object Transport Changed

Created when the transport type of a connection object is changed.

Medium

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
联系我们
获得许可 帮助
技术支持
查看全部
相关文档