ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Active Directory security audit logs on a professional monitoring setup
Event ID 5136InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5136 – Microsoft-Windows-Security-Auditing: Directory Service Object Modified

Event ID 5136 logs when Active Directory objects are modified, tracking changes to user accounts, groups, organizational units, and other directory objects for security auditing purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5136Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5136 represents a cornerstone of Active Directory security auditing, providing granular visibility into directory service modifications. When enabled through Group Policy or local security policy, this event captures every change made to directory objects, creating an immutable audit trail of administrative actions.

The event structure includes critical forensic data: the security identifier (SID) of the account making the change, the distinguished name of the modified object, specific attributes that changed, old and new values, and timestamp information. This level of detail enables security analysts to reconstruct the complete sequence of directory modifications during incident investigations.

Modern threat actors frequently target Active Directory infrastructure, making 5136 monitoring essential for detecting privilege escalation, unauthorized access, and persistence mechanisms. The event helps identify suspicious patterns such as rapid group membership changes, unusual attribute modifications, or changes occurring outside normal business hours. Security Information and Event Management (SIEM) systems commonly use 5136 events as primary indicators for detecting insider threats and advanced persistent threats targeting directory services.

In Windows Server 2025 and later versions, Microsoft enhanced the event format to include additional context about the modification source and improved correlation capabilities with other security events. This makes 5136 even more valuable for comprehensive security monitoring and automated threat detection workflows.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • User account modifications including password changes, account property updates, and security settings adjustments
  • Security group membership changes such as adding or removing users from domain groups
  • Organizational Unit (OU) structure modifications including object moves and permission changes
  • Computer account updates including password resets and attribute modifications
  • Group Policy Object (GPO) changes affecting directory-linked policies
  • Service account modifications and delegation changes
  • Directory schema updates and extension attribute modifications
  • Trust relationship changes between domains or forests
  • Administrative tool operations from Active Directory Users and Computers, PowerShell cmdlets, or third-party management tools
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific 5136 event details to understand what changed and who initiated the modification.

  1. Open Event Viewer on your domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5136 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: Shows who made the change (Account Name and Account Domain)
    • Object: Displays the DN of the modified directory object
    • Attribute: Identifies which specific attribute was changed
    • Old Value and New Value: Shows before and after states
  6. Note the timestamp and correlate with other security events if needed
Pro tip: Use the Details tab in XML view to see all available fields, including process information and additional context data.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze 5136 events across multiple domain controllers or time ranges.

  1. Open PowerShell as Administrator on a domain controller
  2. Query recent 5136 events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events for specific objects or users:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136} | Where-Object {$_.Message -like "*CN=John Doe*"} | Select-Object TimeCreated, Message
  4. Search for specific attribute changes:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136} | Where-Object {$_.Message -like "*memberOf*"} | Format-List TimeCreated, Message
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\AD_Changes.csv" -NoTypeInformation
Warning: Large environments may generate thousands of 5136 events daily. Use time filters and specific criteria to avoid performance issues.
03

Enable Detailed Directory Service Auditing

Configure comprehensive directory service auditing to ensure all relevant changes generate 5136 events.

  1. Open Group Policy Management Console on a domain controller
  2. Edit the Default Domain Controllers Policy
  3. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand DS Access and configure:
    • Audit Directory Service Changes: Enable Success and Failure
    • Audit Directory Service Access: Enable Success (optional, generates more events)
  5. Apply the policy and run gpupdate /force on domain controllers
  6. Verify auditing is active by checking the registry:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics" -Name "5 Replication Events"
  7. Test by making a test change to a user account and confirming 5136 events appear
Pro tip: Consider enabling object-level auditing on critical OUs for more granular tracking of sensitive directory objects.
04

Implement SIEM Integration and Alerting

Set up automated monitoring and alerting for critical 5136 events using SIEM or log management solutions.

  1. Configure Windows Event Forwarding (WEF) to centralize 5136 events:
    wecutil cs subscription.xml
    Where subscription.xml contains your event collection configuration
  2. Create custom event queries for high-priority changes:
    <QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[EventID=5136]] and *[EventData[Data[@Name='AttributeLDAPDisplayName']='memberOf']]</Select>
  </Query>
</QueryList>
  3. Set up PowerShell-based alerting for critical changes:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 5136" -Action { 
    # Alert logic here
    Send-MailMessage -To "admin@company.com" -Subject "Critical AD Change" -Body $Event.SourceEventArgs.NewEvent.Message
}
  4. Configure log retention policies to maintain audit trails:
    Limit-EventLog -LogName Security -MaximumSize 1GB -OverflowAction OverwriteAsNeeded
  5. Create dashboards showing modification trends and anomalies
Warning: High-volume environments may require log archiving strategies to prevent storage issues while maintaining compliance requirements.
05

Advanced Forensic Analysis and Correlation

Perform detailed forensic analysis of 5136 events to investigate security incidents and track attack patterns.

  1. Extract detailed event data using advanced PowerShell techniques:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136; StartTime=(Get-Date).AddDays(-30)}
$ParsedEvents = foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        ObjectDN = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectDN'} | Select-Object -ExpandProperty '#text'
        AttributeName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'AttributeLDAPDisplayName'} | Select-Object -ExpandProperty '#text'
        OldValue = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'AttributeValue'} | Select-Object -ExpandProperty '#text'
    }
}
  2. Correlate with logon events (4624) to track user sessions:
    $LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624}
# Cross-reference timestamps and user accounts
  3. Analyze patterns using timeline analysis:
    $ParsedEvents | Group-Object SubjectUserName | Sort-Object Count -Descending | Select-Object Name, Count
  4. Check for privilege escalation indicators by monitoring group membership changes
  5. Generate comprehensive reports for compliance and incident response:
    $ParsedEvents | Export-Csv -Path "C:\Forensics\AD_Modifications_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  6. Use tools like Microsoft's ATA or Azure ATP for advanced threat detection based on 5136 patterns
Pro tip: Create baseline profiles of normal administrative activity to better identify anomalous changes that may indicate compromise or insider threats.

Overview

Event ID 5136 fires whenever an Active Directory object undergoes modification, making it one of the most critical events for domain security monitoring. This event captures changes to user accounts, security groups, organizational units, computer objects, and other directory service objects within your domain environment.

The event generates in the Security log on domain controllers when directory service auditing is enabled. Each 5136 event contains detailed information about what changed, who made the change, and when it occurred. This includes attribute-level changes such as password resets, group membership modifications, account property updates, and permission changes.

Windows generates this event through the Local Security Authority Subsystem Service (LSASS) process when it processes directory modification requests. The event provides forensic-quality audit trails essential for compliance frameworks like SOX, HIPAA, and PCI-DSS. Security teams rely on 5136 events to detect unauthorized changes, track administrative actions, and investigate potential security incidents involving directory objects.

Frequently Asked Questions

What does Event ID 5136 mean and why is it important?+
Event ID 5136 indicates that an Active Directory object has been modified. This event is crucial for security monitoring because it provides detailed audit trails of all changes made to directory objects including users, groups, computers, and organizational units. It helps detect unauthorized changes, track administrative actions, and investigate security incidents. The event includes information about who made the change, what object was modified, which specific attributes changed, and the old versus new values.
How can I reduce the volume of 5136 events without losing important security information?+
You can optimize 5136 event volume by implementing selective auditing strategies. Focus auditing on critical objects by configuring object-level auditing only on sensitive OUs, security groups, and privileged accounts. Use Group Policy to exclude routine changes like computer account password updates. Implement event filtering at the collection level to focus on high-value attributes like group membership, user permissions, and administrative account changes. Consider using Windows Event Forwarding with custom queries to collect only relevant events centrally.
What are the most critical 5136 events I should monitor for security threats?+
Focus on 5136 events involving group membership changes (memberOf attribute), especially for privileged groups like Domain Admins, Enterprise Admins, and Schema Admins. Monitor user account modifications including password changes, account enabling/disabling, and permission changes. Watch for organizational unit modifications that could indicate lateral movement. Pay attention to service account changes and delegation modifications. Events occurring outside business hours or from unusual source accounts should trigger immediate investigation as they often indicate compromise or insider threats.
How do I correlate Event ID 5136 with other Windows security events for incident investigation?+
Correlate 5136 events with logon events (4624, 4625) to track user sessions and identify the source of changes. Cross-reference with privilege use events (4672, 4673) to understand elevated permissions usage. Link with process creation events (4688) to identify tools used for modifications. Use account management events (4720-4767) alongside 5136 to get complete account lifecycle visibility. Timeline analysis combining these events provides comprehensive incident reconstruction. Tools like PowerShell, SIEM platforms, or Microsoft's security tools can automate this correlation process.
What should I do if I see suspicious 5136 events indicating potential compromise?+
Immediately isolate the affected accounts and systems to prevent further unauthorized changes. Document all suspicious 5136 events including timestamps, modified objects, and source accounts. Reset passwords for potentially compromised accounts and review group memberships for unauthorized additions. Check for persistence mechanisms like new service accounts or delegation changes. Correlate with other security events to understand the attack timeline. Implement additional monitoring on affected objects and consider enabling more granular auditing. Engage incident response procedures and consider involving law enforcement if data exfiltration is suspected.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including detailed explanations of Event ID 5136 and related directory service audit events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial Microsoft documentation covering advanced audit policy configuration for directory service auditing and Event ID 5136 generation.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5136#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...