#active-directory

Windows Event ID 4936 – Microsoft-Windows-Security-Auditing: User Account Management Policy Change

Event ID 4936 logs changes to user account management policies in Active Directory. This security audit event fires when administrators modify password policies, account lockout settings, or Kerberos authentication policies.

Windows Event ID 4928 – Microsoft-Windows-Security-Auditing: Active Directory Replica Source Naming Context Established

Event ID 4928 indicates that an Active Directory replica source naming context has been successfully established between domain controllers during replication operations.

Windows Event ID 4908 – Security: Trusted Domain Information Changed

Event ID 4908 indicates that trusted domain information has been modified on a domain controller, typically during domain trust establishment, modification, or removal operations.

Windows Event ID 4768 – Microsoft-Windows-Security-Auditing: Kerberos Authentication Ticket (TGT) Requested

Event ID 4768 logs when a user or service requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller during authentication.

Windows Event ID 4706 – Microsoft-Windows-Security-Auditing: Directory Service Object Created

Event ID 4706 logs when a new object is created in Active Directory Domain Services. This security audit event tracks organizational unit, user, group, and computer account creation for compliance monitoring.

Windows Event ID 5137 – Microsoft-Windows-Security-Auditing: Directory Service Object Created

Event ID 5137 logs when a new object is created in Active Directory, providing detailed audit information about the creation event, including the object DN, class, and security principal responsible.

Windows Event ID 5136 – Microsoft-Windows-Security-Auditing: Directory Service Object Modified

Event ID 5136 logs when Active Directory objects are modified, tracking changes to user accounts, groups, organizational units, and other directory objects for security auditing purposes.

Windows Event ID 4761 – Microsoft-Windows-Security-Auditing: Computer Account Created

Event ID 4761 logs when a computer account is created in Active Directory. This security audit event tracks domain computer additions for compliance and security monitoring purposes.

Windows Event ID 4757 – Microsoft-Windows-Security-Auditing: Universal Security Group Member Removed

Event ID 4757 fires when a member is removed from a universal security group in Active Directory. This audit event tracks group membership changes for security compliance and access control monitoring.

Windows Event ID 4756 – Microsoft-Windows-Security-Auditing: Universal Security Group Member Added

Event ID 4756 fires when a member is added to a universal security group in Active Directory. This security audit event tracks group membership changes for compliance and security monitoring.

Windows Event ID 4754 – Microsoft-Windows-Security-Auditing: Security-Enabled Universal Group Member Added

Event ID 4754 fires when a member is added to a security-enabled universal group in Active Directory. This audit event tracks group membership changes for compliance and security monitoring.

Windows Event ID 4753 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Member Removed

Event ID 4753 logs when a member is removed from a security-enabled global group in Active Directory. This security audit event tracks group membership changes for compliance and security monitoring.