Saturday, 23 November 2013

Event ID 5136 - Active Directory Object Change Event

In this article, I am going to explain about the Active Directory change audit Event ID 5136, how to enable or configure Event ID 5136 through Default Domain Controller Policy GPO and Auditpol.exe, and how to disable Event ID 5136.

Summary:


Event ID 5136 Source: Old Value (Deleted Attribute Value)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          23/11/2013 1:30:42 PM
Event ID:      5136
Task Category: Directory Service Changes
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myDC.myDomain.com
Description:
A directory service object was modified.
 
Subject:
 Security ID:  myDomain\Administrator
 Account Name:  Administrator
 Account Domain:  myDomain
 Logon ID:  0x2c8f4

Directory Service:
 Name: myDomain.local
 Type: Active Directory Domain Services
 
Object:
 DN: CN=TestUser,OU=Test,DC=myDomain,DC=Com
 GUID: CN=TestUser,OU=Test,DC=myDomain,DC=Com
 Class: user
 
Attribute:
 LDAP Display Name: physicalDeliveryOfficeName
 Syntax (OID): 2.5.5.12
 Value: TechPark
 
Operation:
 Type: Value Deleted
 Correlation ID: {cd1aa2fa-7d62-43c5-8c95-3ba03569a4f2}
 Application Correlation ID: -

Event ID 5136 Source: New Value (Added Attribute Value)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          23/11/2013 1:30:42 PM
Event ID:      5136
Task Category: Directory Service Changes
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myDC.myDomain.Com
Description:
A directory service object was modified.
 
Subject:
 Security ID:  myDomain\Administrator
 Account Name:  Administrator
 Account Domain:  myDomain
 Logon ID:  0x2c8f4

Directory Service:
 Name: myDomain.com
 Type: Active Directory Domain Services
 
Object:
 DN: CN=TestUser,OU=Test,DC=myDomain,DC=Com
 GUID: CN=TestUser,OU=Test,DC=myDomain,DC=Com
 Class: user
 
Attribute:
 LDAP Display Name: physicalDeliveryOfficeName
 Syntax (OID): 2.5.5.12
 Value: TechZone
 
Operation:
 Type: Value Added
 Correlation ID: {cd1aa2fa-7d62-43c5-8c95-3ba03569a4f2}
 Application Correlation ID: -

Mapping 5136 Old Value Event and New Value Event

Any Active Directory object's attribute change will logs the two 5136 events for Deleted attribute value and Added attribute value. You can find the old value (deleted value) for the corresponding new value (added value) by mapping these two events.

You can find the field section Operation:  in both events
In Old Value Event:
 Type: Value Deleted
 Correlation ID: {cd1aa2fa-7d62-43c5-8c95-3ba03569a4f2}
 Application Correlation ID: -
In New Value Event:
Operation:
 Type: Value Added
 Correlation ID: {cd1aa2fa-7d62-43c5-8c95-3ba03569a4f2}
 Application Correlation ID: -

Here, you could see the field Type: which tells Value Added or Deleted and Correlation ID which is unique between two events. So you can map these two events by using the value of Correlation ID.

After mapping the events, you can find changed attribute name from the field LDAP Display Name:. From the above event source, we can conclude the value of physicalDeliveryOfficeName (Office) attribute is changed from 'TechPark' to 'TechZone' for the user 'TestUser'

Enable Active Directory Change Event 5136 via Group Policy

    To enable event id 5136  in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of each and every Domain Controller..

Follow the below steps to enable Active Directory change audit event 5136 via Default Domain Controllers Policy.

    1. Press the key 'Window' + 'R'
    2. Type the command gpmc.msc, and click OK.
         Note: Skip the above steps by clicking Start -->Administrative Tools -->Group Policy                            Management.
    3. Expand the domain node and Domain Controllers OU,  right-click on the Default Domain Controllers Policy, then click Edit. - refer the below image.

Enable Active Directory Change Audit Event ID 5136


    4. Expand Computer Configuration node and Security Settings and navigate to the node DS Access (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->DS Access).

    5. Now edit Audit Directory Service Changes as Success to enable active directory change audit event 5136. - refer the below image.

Enable Active Directory Change Audit Event ID 5136


    6. Run the command gpupdate /force from command prompt to update group policy settings.

Enable Object Level Security Audit (SACL): 

    This event is also controlled by the access control entry (ACE) in the SACL requiring attribute modifications to be logged, even if the Directory Service Changes subcategory is enabled, no change auditing events are logged. For example, if there is no ACE in a SACL requiring Write Property access on the physicalDeliveryOfficeName attribute of a user object to be audited, no auditing events are generated when the physicalDeliveryOfficeName attribute is modified, even if the subcategory Directory Service Changes is enabled..

Follow the below steps to enable SACL for full Domain.

Note: You can also configure SACL for particular OU or User instead of full Domain.

   1. Press the key 'Window' + 'R'
   2. Type the command dsa.msc, and click OK.
       Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.
   3. Right-click the Domain object, and click the properties
   4. Click the Security tab.
        Note: If the Security tab is not available, Ensure the option Advanced Features is checked                       under the View menu.
   5. Click the button Advanced, and select the tab Auditing.
   6. Click the button Add, find the user Everyone, and click OK.
   7.  Check the Successful auditing for Write all properties. -refer below image.

Enable Active Directory Change Audit Event ID 5136


    8. Click the button OK, and click Apply.


Enable Event ID 5136 via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.

By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Event ID 5136 through Directory Service Changes subcategory by using the following command
auditpol /set /subcategory:"Directory Service Changes" /success:enable
To update or refresh GPO settings, run the command gpupdate/force

How to disable/stop Event ID 5136

You can disable or stop the audit Event ID 5136 by removing success audit of Directory Service Changes subcategory by using the following command.
auditpol /set /subcategory:"Directory Service Changes" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controller Policy in the setting path (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->DS Access->Audit Directory Service Changes)


Note: This article is applies to only Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

2 comments:

  1. Hello, I enjoy read&X69;&X6E;g al&X6c; of your pоst.
    I ωanted to wri&X74;е а lі&X74;tle comment to suppоrt you.


    my web blog ... the north face jackor

    ReplyDelete
  2. I every time used to study ρost in news papers but now &X61;s ӏ am a &X75;sеr o&X66; weeb
    so from noω ӏ am uѕin&X67; net for articles
    or revіews, thanks to web.

    &X6d;y w&X65;b page - site

    ReplyDelete