ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Active Directory management console and Event Viewer displaying security audit logs on professional monitoring setup
Event ID 5137InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5137 – Microsoft-Windows-Security-Auditing: Directory Service Object Created

Event ID 5137 logs when a new object is created in Active Directory, providing detailed audit information about the creation event, including the object DN, class, and security principal responsible.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 5137Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 5137 represents one of the core Active Directory auditing events that organizations use to maintain visibility into directory service changes. When enabled through the Audit Directory Service Access policy, this event captures detailed information about every object creation operation within the Active Directory database.

The event structure includes several critical data points: the Security ID and Account Name of the principal performing the creation, the Object DN (Distinguished Name) identifying the exact location and name of the created object, the Object Class specifying the type of object created (user, group, organizationalUnit, computer, etc.), and additional attributes that may have been set during creation.

From a security perspective, Event ID 5137 serves as a fundamental building block for detecting unauthorized object creation, tracking administrative activities, and maintaining compliance with regulations like SOX, HIPAA, and PCI-DSS. Security teams often correlate these events with other audit logs to build comprehensive timelines of administrative actions.

The event fires on the domain controller that processes the LDAP creation request, which means in multi-DC environments, you may see the same logical creation operation logged on different domain controllers depending on replication timing and client connection patterns. This distributed logging provides redundancy for audit trails but requires careful correlation when investigating specific incidents.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • User account creation through Active Directory Users and Computers or PowerShell cmdlets
  • Group creation by administrators or automated provisioning systems
  • Organizational Unit (OU) creation during AD restructuring or delegation setup
  • Computer object creation during domain join operations
  • Service account creation for application installations
  • Contact object creation for external email addresses
  • Custom object creation through LDAP applications or scripts
  • Exchange mailbox creation triggering associated AD objects
  • Automated provisioning systems creating objects based on HR feeds
  • Group Policy object creation in the System container
Resolution Methods

Troubleshooting Steps

01

Query Event ID 5137 Using Event Viewer

Navigate to Event Viewer to examine recent object creation events and identify patterns or anomalies.

  1. Open Event Viewer on your domain controller
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 5137 in the Event IDs field and click OK
  5. Review the filtered events, paying attention to the Object DN and Subject Account Name fields
  6. Double-click specific events to view detailed information including object class and creation timestamp
  7. Look for unusual creation patterns, such as bulk object creation outside normal business hours or objects created in unexpected OUs
Pro tip: Use the Event Viewer's XML view to see all available event data, including custom attributes that may not display in the General tab.
02

PowerShell Analysis of Object Creation Events

Use PowerShell to perform advanced filtering and analysis of Event ID 5137 across multiple domain controllers.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent object creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5137} -MaxEvents 100 | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='ObjectDN';Expression={$_.Properties[8].Value}}, @{Name='ObjectClass';Expression={$_.Properties[9].Value}}
  3. Filter for specific object types:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5137} | Where-Object {$_.Properties[9].Value -eq 'user'} | Select-Object TimeCreated, @{Name='CreatedUser';Expression={$_.Properties[8].Value}}
  4. Search across multiple domain controllers:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=5137; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5137; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\AD_Object_Creation_Report.csv" -NoTypeInformation
03

Configure Advanced Auditing for Object Creation Tracking

Implement comprehensive auditing policies to ensure Event ID 5137 captures all necessary object creation activities.

  1. Open Group Policy Management Console on a domain controller
  2. Navigate to your domain's Default Domain Controllers Policy or create a dedicated auditing GPO
  3. Edit the policy and go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand DS Access and configure Audit Directory Service Changes to Success
  5. For granular control, use auditpol.exe:
    auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
  6. Verify current audit settings:
    auditpol /get /subcategory:"Directory Service Changes"
  7. Apply the policy using:
    gpupdate /force
  8. Test the configuration by creating a test object and verifying Event ID 5137 appears in the Security log
Warning: Enabling comprehensive DS auditing can generate significant log volume. Ensure adequate log retention and storage capacity.
04

Automated Monitoring and Alerting Setup

Implement automated monitoring to detect suspicious object creation patterns and generate real-time alerts.

  1. Create a PowerShell monitoring script:
    # Monitor-ADObjectCreation.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5137; StartTime=$LastCheck}

foreach ($Event in $Events) {
    $ObjectDN = $Event.Properties[8].Value
    $Creator = $Event.Properties[1].Value
    $ObjectClass = $Event.Properties[9].Value
    
    # Alert on suspicious patterns
    if ($ObjectClass -eq 'user' -and $Event.TimeCreated.Hour -lt 6) {
        Write-Warning "Off-hours user creation: $ObjectDN by $Creator"
        # Send alert email or log to SIEM
    }
}
  2. Schedule the script using Task Scheduler or run it as a Windows service
  3. Configure Windows Event Forwarding to centralize Event ID 5137 collection:
    wecutil cs subscription.xml
  4. Set up custom event log views in Event Viewer for quick access to object creation events
  5. Integrate with SIEM solutions by configuring log forwarding or using Windows Event Collector
  6. Create dashboard queries to visualize object creation trends and identify anomalies
05

Forensic Investigation of Object Creation Events

Perform detailed forensic analysis of Event ID 5137 for security incident investigation and compliance reporting.

  1. Collect comprehensive event data across all domain controllers:
    $StartDate = (Get-Date).AddDays(-90)
$DCs = (Get-ADDomainController -Filter *).Name
$AllEvents = @()

foreach ($DC in $DCs) {
    try {
        $Events = Get-WinEvent -ComputerName $DC -FilterHashtable @{LogName='Security'; Id=5137; StartTime=$StartDate} -ErrorAction Stop
        $AllEvents += $Events
    } catch {
        Write-Warning "Could not retrieve events from $DC: $($_.Exception.Message)"
    }
}
  2. Analyze object creation patterns:
    $Analysis = $AllEvents | ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Creator = $_.Properties[1].Value
        ObjectDN = $_.Properties[8].Value
        ObjectClass = $_.Properties[9].Value
        DC = $_.MachineName
    }
} | Sort-Object TimeCreated
  3. Generate compliance reports:
    $Analysis | Group-Object Creator | Select-Object Name, Count | Sort-Object Count -Descending | Export-Csv "ObjectCreationByUser.csv"
  4. Correlate with other security events (4624, 4648) to build complete activity timelines
  5. Use Event Log Explorer or similar tools for advanced filtering and correlation across multiple log sources
  6. Document findings in incident response reports, including object creation timelines and responsible parties
Pro tip: Combine Event ID 5137 analysis with 5136 (object modified) and 5141 (object deleted) events for complete object lifecycle visibility.

Overview

Event ID 5137 fires whenever a new object is created in Active Directory Domain Services. This security audit event captures comprehensive details about directory service object creation activities, making it essential for compliance monitoring and security investigations. The event appears in the Security log on domain controllers when directory service access auditing is enabled through Group Policy.

This event provides critical visibility into AD object lifecycle management, recording who created what objects and when. System administrators rely on 5137 events to track organizational unit creation, user account provisioning, group establishment, and computer object additions. The event includes the distinguished name of the created object, its object class, and the security principal that performed the creation operation.

Understanding Event ID 5137 is crucial for maintaining Active Directory security posture and meeting regulatory compliance requirements. The event fires on all domain controllers that process the creation request, providing distributed audit coverage across your AD infrastructure.

Frequently Asked Questions

What does Event ID 5137 mean and when does it occur?+
Event ID 5137 indicates that a new object has been created in Active Directory Domain Services. This security audit event fires whenever any type of AD object is created, including users, groups, organizational units, computers, contacts, or custom objects. The event occurs on the domain controller that processes the LDAP creation request and provides detailed information about what was created, when, and by whom. This event is essential for tracking AD changes and maintaining security compliance.
How do I enable Event ID 5137 logging in my Active Directory environment?+
To enable Event ID 5137 logging, you must configure the 'Audit Directory Service Changes' policy through Group Policy. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → DS Access, then enable 'Audit Directory Service Changes' for Success events. Alternatively, use the command 'auditpol /set /subcategory:"Directory Service Changes" /success:enable' on each domain controller. After applying the policy with 'gpupdate /force', Event ID 5137 will begin appearing in the Security log whenever AD objects are created.
What information is included in Event ID 5137 and how can I interpret it?+
Event ID 5137 contains several key data points: the Security ID and Account Name of the user or service that created the object, the Object DN (Distinguished Name) showing the exact location and name of the created object, the Object Class indicating the type of object (user, group, organizationalUnit, etc.), and additional attributes that may have been set during creation. The event also includes timestamp information and the domain controller that logged the event. This data helps administrators track who created what objects and when, which is crucial for security monitoring and compliance reporting.
Can Event ID 5137 help detect unauthorized Active Directory changes?+
Yes, Event ID 5137 is excellent for detecting unauthorized AD object creation. By monitoring these events, you can identify objects created outside normal business hours, bulk object creation that might indicate automated attacks, objects created in unexpected organizational units, or creation activities by accounts that shouldn't have those permissions. Establish baselines for normal object creation patterns in your environment, then set up alerts for deviations. Correlating Event ID 5137 with logon events (4624) and privilege use events (4672) provides comprehensive visibility into potentially malicious administrative activities.
How should I manage the volume of Event ID 5137 logs in a large Active Directory environment?+
In large AD environments, Event ID 5137 can generate significant log volume. Implement log management strategies including: configuring appropriate Security log retention periods based on compliance requirements, using Windows Event Forwarding to centralize collection on dedicated log servers, implementing log rotation and archival policies, filtering events at collection time to focus on critical object types or suspicious patterns, and integrating with SIEM solutions for automated analysis and long-term storage. Consider using PowerShell scripts to regularly export and compress older events, and establish monitoring thresholds to alert on unusual spikes in object creation activity that might indicate security issues.
Documentation

References (2)

1
Microsoft Learn - Audit Directory Service ChangesOfficial Microsoft documentation covering the configuration and interpretation of directory service change auditing, including Event ID 5137.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
2
Windows Security Auditing Events ReferenceComprehensive reference for Windows security auditing events and their implementation in enterprise environments.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5137#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...