Forum

Ultimate Windows Security Forum » Security Log » 4719 - System audit policy was changed » Domain Controllers logging success/failure...

Domain Controllers logging success/failure...

Rate Topic

Display Mode

Topic Options

Author

Message

bobbychan

Posted 3/29/2017 10:03:37 AM

Forum Newbie

Group: Forum Members
Last Login: 3/27/2017 11:26:15 AM
Posts: 1, Visits: 2

When searching in our Splunk Logs with Event ID 4719, we have found that logs from different Domain Controllers have audit logs from different subcategory audit policies "removed" success/failure and immediately after, "added" success/failure for the same subcategory audit policy. What could be causing this? We are utilizing Server 2012 for our DCs.

Post #7352

derekthomas

Posted 4/11/2017 1:46:36 PM

Supreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0

I have seen this with conflicting GPO's. Default domain controllers GPO may set certain audit categories while another GPO may enable or disable those settings. Check for multiple GPO's trying to set audit settings.

Post #7357

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 3:17pm

Upcoming Webinars

Pivoting from Linux to Windows: Using Behavior to Detect Intrusions Involving Edge Devices

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.