Windows Security Log Event ID 5137
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Directory Service • Directory Service Changes |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
566
|
5137: A directory service object was created
On this page
This event documents creations of AD objects, identifying the object created and user who created it.
Of course this event will only be logged when the object's parent's audit policy has auditing enabled for creation of the object class involved and for the user performing the action or a group to which the user belongs.
For users, groups and computers there are specific events for tracking creation. See "User account management", etc.
Free Security Log Resources by Randy
Subject:
The user and logon session that created the object.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Directory Service:
- Name: DNS name of the domain of the object
- Type: "Active Directory Domain Services" or possibly other directory service if appropriate. Maybe different value for ADAM or Lightweight Directory Services?
Object:
This is the object just created.
- DN: the X.400 distinguished name of the object
- GUID: while "GUID" would indicate this should be the globally unique identifier of the object, as of Win2008 RC1 this event appears to just be the DN repeated
- Class: the objectClass of the object as defined in the AD schema
Operation:
- Correlation ID: Multiple modifications are often executed as one operation via LDAP. This value allows you to correlate all the modification events that comprise the operation. Just look for other events with the same Correlation ID.
- Application Correlation ID: Always "-"? Unknown. Start a discussion below if you have information on this field!
Supercharger Free Edition
Creation of a User
A directory service object was created.
Subject:
Security ID: ACME\Administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x27a79
Directory Service:
Name: acme.local
Type: Active Directory Domain Services
Object:
DN: cn=Nimrod Jones,OU=New York,OU=AcmeUsers,DC=acme,DC=local
GUID: CN=Nimrod Jones\0ADEL:24f60da0-baeb-4e6c-99f1- 8fdad6a39515,CN=Deleted Objects,DC=acme,DC=local
Class: user
Operation:
Correlation ID: {60818a5a-4bdb-4c72-bcd2-7e54ba21b25e}
Application Correlation ID: -
----------------------------------------------------
Creation of a Group Policy Object
A directory service object was created.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: CN={8F8DF4A9-5B21-4A27-9BA6- 1AECC663E843},CN=Policies,CN=System,DC=acme,DC=com
GUID: CN={8F8DF4A9-5B21-4A27-9BA6-1AECC663E843}\0ADEL:291d5001- 782a-4b3c-a319-87c060621b0e,CN=Deleted Objects,DC=acme,DC=com
Class: groupPolicyContainer
Operation:
Correlation ID: {f4435860-98a6-4846-9cbb-3a43b117333e}
Application Correlation ID: -
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection