Active Directory Logs: Monitor AD Security and Performance

Below is a list of Active Directory event logs that are recommended to monitor for security and performance.
These AD event logs can be monitored with an Active Directory Audit Tool to quickly troubleshoot, audit
and detect potential security threats.

Refer to the article Signs of Active Directory Compromise Guide for more details on the event logs.

I’ve put the events into a table that can be searched and sorted.

Event IDSeverityDescriptionCategory
1102Medium to HighThe audit log was cleared
4608LowWindows is starting up.Security State Change
4609LowWindows is shutting down.Security State Change
4610LowAn authentication package has been loaded by the Local Security Authority.Security System Extension
4611LowA trusted logon process has been registered with the Local Security Authority.Security System Extension
4612LowInternal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.System Integrity
4614LowA notification package has been loaded by the Security Account Manager.Security System Extension
4615LowInvalid use of LPC port.System Integrity
4616LowThe system time was changed.Security State Change
4618HighA monitored security event pattern has occurred.System Integrity
4621MediumAdministrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.Security State Change
4622LowA security package has been loaded by the Local Security Authority.Security System Extension
4624LowAn account was successfully logged on.Logon
4625LowAn account failed to log on.logon
4634LowAn account was logged off.Logoff
4646LowIKE DoS-prevention mode started.Ipsec Main Mode
4647LowUser initiated logoff.Logoff
4648LowA logon was attempted using explicit credentials.Logon
4649HighA replay attack was detected. May be a harmless false positive due to misconfiguration error.Other Account Logon Events
4650LowAn IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.Ipsec Main Mode
4651LowAn IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.Ipsec Main Mode
4652LowAn IPsec Main Mode negotiation failed.Ipsec Main Mode
4653LowAn IPsec Main Mode negotiation failed.Ipsec Main Mode
4654LowAn IPsec Quick Mode negotiation failed.
4655LowAn IPsec Main Mode security association ended.Ipsec Main Mode
4656LowA handle to an object was requested.Handle Manipulation
4657LowA registry value was modified.Registry
4658LowThe handle to an object was closed.Handle Manipulation
4659LowA handle to an object was requested with intent to delete.Kernal Object
4660LowAn object was deleted.Kernal Object
4661LowA handle to an object was requested.Kernal Object
4662LowAn operation was performed on an object.Directory Service Access
4663LowAn attempt was made to access an object.Kernal Object
4664LowAn attempt was made to create a hard link.File System
4665LowAn attempt was made to create an application client context.Application Generated
4666LowAn application attempted an operation:Application Generated
4667LowAn application client context was deleted.Application Generated
4668LowAn application was initialized.Application Generated
4670LowPermissions on an object were changed.Other Policy Change Events
4671LowAn application attempted to access a blocked ordinal through the TBS.Other Object Access Events
4672LowSpecial privileges assigned to new logon.Sensitive Privilege Use
4673LowA privileged service was called.Sensitive Privilege Use
4674LowAn operation was attempted on a privileged object.Sensitive Privilege Use
4675MediumSIDs were filtered.Logon
4688LowA new process has been created.Process Creation
4689LowA process has exited.Process Termination
4690LowAn attempt was made to duplicate a handle to an object.Handle Manipulation
4691LowIndirect access to an object was requested.Other Object Access Events
4692MediumBackup of data protection master key was attempted.DPAPI Activity
4693MediumRecovery of data protection master key was attempted.DPAPI Activity
4694LowProtection of auditable protected data was attempted.DPAPI Activity
4695LowUnprotection of auditable protected data was attempted.DPAPI Activity
4696LowA primary token was assigned to process.Process Creation
4697LowAttempt to install a serviceSecurity System Extension
4698LowA scheduled task was created.Other Object Access Events
4699LowA scheduled task was deleted.Other Object Access Events
4700LowA scheduled task was enabled.Other Object Access Events
4701LowA scheduled task was disabled.Other Object Access Events
4702LowA scheduled task was updated.Other Object Access Events
4704LowA user right was assigned.Authorization Police Change
4705LowA user right was removed.Authorization Police Change
4706MediumA new trust was created to a domain.Authorization Police Change
4707LowA trust to a domain was removed.Authorization Police Change
4709LowIPsec Services was started.Filtering Platform Policy Change
4710LowIPsec Services was disabled.Filtering Platform Policy Change
4711LowMay contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. PAStore Engine applied Active Directory storage IPsec policy on the computer. PAStore Engine applied local registry storage IPsec policy on the computer. PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer. PAStore Engine failed to apply Active Directory storage IPsec policy on the computer. PAStore Engine failed to apply local registry storage IPsec policy on the computer. PAStore Engine failed to apply some rules of the active IPsec policy on the computer. PAStore Engine failed to load directory storage IPsec policy on the computer. PAStore Engine loaded directory storage IPsec policy on the computer. PAStore Engine failed to load local storage IPsec policy on the computer. PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.Filtering Platform Policy Change
4712LowIPsec Services encountered a potentially serious failure.
4713MediumKerberos policy was changed.Authentication Policy Change
4714MediumEncrypted data recovery policy was changed.Authorization Police Change
4715MediumThe audit policy (SACL) on an object was changed.Audit Policy Change
4716MediumTrusted domain information was modified.Authentication Policy Change
4717LowSystem security access was granted to an account.Authentication Policy Change
4718LowSystem security access was removed from an account.Authentication Policy Change
4719HighSystem audit policy was changed.Audit Policy Change
4720LowA user account was created.User Account Management
4722LowA user account was enabled.User Account Management
4723LowAn attempt was made to change an account's password.User Account Management
4724MediumAn attempt was made to reset an account's password.User Account Management
4725LowA user account was disabled.User Account Management
4726LowA user account was deleted.User Account Management
4727MediumA security-enabled global group was created.Security Group Management
4728LowA member was added to a security-enabled global group.Security Group Management
4729LowA member was removed from a security-enabled global group.Security Group Management
4730LowA security-enabled global group was deleted.Security Group Management
4731LowA security-enabled local group was created.Security Group Management
4732LowA member was added to a security-enabled local group.Security Group Management
4733LowA member was removed from a security-enabled local group.Security Group Management
4734LowA security-enabled local group was deleted.Security Group Management
4735MediumA security-enabled local group was changed.Security Group Management
4737MediumA security-enabled global group was changed.Security Group Management
4738LowA user account was changed.User Account Management
4739MediumDomain Policy was changed.Authentication Policy Change
4740LowA user account was locked out.User Account Management
4741LowA computer account was changed.Computer Account Management
4742LowA computer account was changed.Computer Account Management
4743LowA computer account was deleted.Computer Account Management
4744LowA security-disabled local group was created.Distribution Group Management
4745LowA security-disabled local group was changed.Distribution Group Management
4746LowA member was added to a security-disabled local group.Distribution Group Management
4747LowA member was removed from a security-disabled local group.Distribution Group Management
4748LowA security-disabled local group was deleted.Distribution Group Management
4749LowA security-disabled global group was created.Distribution Group Management
4750LowA security-disabled global group was changed.Distribution Group Management
4751LowA member was added to a security-disabled global group.Distribution Group Management
4752LowA member was removed from a security-disabled global group.Distribution Group Management
4753LowA security-disabled global group was deleted.Distribution Group Management
4754MediumA security-enabled universal group was created.Security Group Management
4755MediumA security-enabled universal group was changed.Security Group Management
4756LowA member was added to a security-enabled universal group.Security Group Management
4757LowA member was removed from a security-enabled universal group.Security Group Management
4758LowA security-enabled universal group was deleted.Security Group Management
4759LowA security-disabled universal group was created.Distribution Group Management
4760LowA security-disabled universal group was changed.Distribution Group Management
4761LowA member was added to a security-disabled universal group.Distribution Group Management
4762LowA member was removed from a security-disabled universal group.Distribution Group Management
4764MediumA group's type was changed.Security Group Management
4765HighSID History was added to an account.User Account Management
4766HighAn attempt to add SID History to an account failed.User Account Management
4767LowA user account was unlocked.User Account Management
4768LowA Kerberos authentication ticket (TGT) was requested.Audit Kerberos Authentication Service
4769LowA Kerberos service ticket was requested.Audit Kerberos Service Ticket Operations
4770LowA Kerberos service ticket was renewed.Audit Kerberos Service Ticket Operations
4771LowKerberos pre-authentication failed.Audit Kerberos Authentication Service
4772LowA Kerberos authentication ticket request failed.Audit Kerberos Authentication Service
4774LowAn account was mapped for logon.Audit Credential Validation
4775LowAn account could not be mapped for logon.Audit Credential Validation
4776LowThe domain controller attempted to validate the credentials for an account.Audit Credential Validation
4777LowThe domain controller failed to validate the credentials for an account.Audit Credential Validation
4778LowA session was reconnected to a Window Station.Other Account Logon Events
4779LowA session was disconnected from a Window Station.Other Account Logon Events
4780MediumThe ACL was set on accounts which are members of administrators groups.User Account Management
4781LowThe name of an account was changed:User Account Management
4782LowThe password hash an account was accessed.Other Account Management Events
4783LowA basic application group was created.Application Group Management
4784LowA basic application group was changed.Application Group Management
4785LowA member was added to a basic application group.Application Group Management
4786LowA member was removed from a basic application group.Application Group Management
4787LowA nonmember was added to a basic application group.Application Group Management
4788LowA nonmember was removed from a basic application group.Application Group Management
4789LowA basic application group was deleted.Application Group Management
4790LowAn LDAP query group was created.Application Group Management
4793LowThe Password Policy Checking API was called.Other Account Management Events
4794HighAn attempt was made to set the Directory Services Restore Mode.User Account Management
4800LowThe workstation was locked.Other Account Logon Events
4801LowThe workstation was unlocked.Other Account Logon Events
4802LowThe screen saver was invoked.Other Account Logon Events
4803LowThe screen saver was dismissed.Other Account Logon Events
4816MediumRPC detected an integrity violation while decrypting an incoming message.System Integrity
4817Auditing settings on object were changed.Audit Policy Change
4864LowA namespace collision was detected.Authentication Policy Change
4865MediumA trusted forest information entry was added.Authentication Policy Change
4866MediumA trusted forest information entry was removed.Authentication Policy Change
4867MediumA trusted forest information entry was modified.Authentication Policy Change
4868MediumThe certificate manager denied a pending certificate request.Certification Services
4869LowCertificate Services received a resubmitted certificate request.Certification Services
4870MediumCertificate Services revoked a certificate.Certification Services
4871LowCertificate Services received a request to publish the certificate revocation list (CRL).Certification Services
4872LowCertificate Services published the certificate revocation list (CRL).Certification Services
4873LowA certificate request extension changed.Certification Services
4874LowOne or more certificate request attributes changed.Certification Services
4875LowCertificate Services received a request to shut down.Certification Services
4876LowCertificate Services backup started.Certification Services
4877LowCertificate Services backup completed.Certification Services
4878LowCertificate Services restore started.Certification Services
4879LowCertificate Services restore completed.Certification Services
4880LowCertificate Services started.Certification Services
4881LowCertificate Services stopped.Certification Services
4882MediumThe security permissions for Certificate Services changed.Certification Services
4883LowCertificate Services retrieved an archived key.Certification Services
4884LowCertificate Services imported a certificate into its database.Certification Services
4885MediumThe audit filter for Certificate Services changed.Certification Services
4886LowCertificate Services received a certificate request.Certification Services
4887LowCertificate Services approved a certificate request and issued a certificate.Certification Services
4888LowCertificate Services denied a certificate request.Certification Services
4889LowCertificate Services set the status of a certificate request to pending.Certification Services
4890MediumThe certificate manager settings for Certificate Services changed.Certification Services
4891LowA configuration entry changed in Certificate Services.Certification Services
4892MediumA property of Certificate Services changed.Certification Services
4893LowCertificate Services archived a key.Certification Services
4894LowCertificate Services imported and archived a key.Certification Services
4895LowCertificate Services published the CA certificate to Active Directory Domain Services.Certification Services
4896MediumOne or more rows have been deleted from the certificate database.Certification Services
4897HighRole separation enabled:Certification Services
4898LowCertificate Services loaded a template.Certification Services
4902LowThe Per-user audit policy table was created.Audit Policy Change
4904LowAn attempt was made to register a security event source.Audit Policy Change
4905LowAn attempt was made to unregister a security event source.Audit Policy Change
4906MediumThe CrashOnAuditFail value has changed.Audit Policy Change
4907MediumAuditing settings on object were changed.Audit Policy Change
4908MediumSpecial Groups Logon table modified.Audit Policy Change
4909LowThe local policy settings for the TBS were changed.Other Policy Change Events
4910LowThe Group Policy settings for the TBS were changed.Other Policy Change Events
4912MediumPer User Audit Policy was changed.Audit Policy Change
4928LowAn Active Directory replica source naming context was established.Detailed Directory Service Replication
4929LowAn Active Directory replica source naming context was removed.Detailed Directory Service Replication
4930LowAn Active Directory replica source naming context was modified.Detailed Directory Service Replication
4931LowAn Active Directory replica destination naming context was modified.Detailed Directory Service Replication
4932LowSynchronization of a replica of an Active Directory naming context has begun.Directory Service Replication
4933LowSynchronization of a replica of an Active Directory naming context has ended.Directory Service Replication
4934LowAttributes of an Active Directory object were replicated.Detailed Directory Service Replication
4935LowReplication failure begins.Detailed Directory Service Replication
4936LowReplication failure ends.Detailed Directory Service Replication
4937LowA lingering object was removed from a replica.Detailed Directory Service Replication
4944LowThe following policy was active when the Windows Firewall started.MPSSVC Rule Level Policy Change
4945LowA rule was listed when the Windows Firewall started.MPSSVC Rule Level Policy Change
4946LowA change has been made to Windows Firewall exception list. A rule was added.MPSSVC Rule Level Policy Change
4947LowA change has been made to Windows Firewall exception list. A rule was modified.MPSSVC Rule Level Policy Change
4948LowA change has been made to Windows Firewall exception list. A rule was deleted.MPSSVC Rule Level Policy Change
4949LowWindows Firewall settings were restored to the default values.MPSSVC Rule Level Policy Change
4950LowA Windows Firewall setting has changed.MPSSVC Rule Level Policy Change
4951LowA rule has been ignored because its major version number was not recognized by Windows Firewall.MPSSVC Rule Level Policy Change
4952LowParts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.MPSSVC Rule Level Policy Change
4953LowA rule has been ignored by Windows Firewall because it could not parse the rule.MPSSVC Rule Level Policy Change
4954LowWindows Firewall Group Policy settings have changed. The new settings have been applied.MPSSVC Rule Level Policy Change
4956LowWindows Firewall has changed the active profile.MPSSVC Rule Level Policy Change
4957LowWindows Firewall did not apply the following rule:MPSSVC Rule Level Policy Change
4958LowWindows Firewall did not apply the following rule because the rule referred to items not configured on this computer:MPSSVC Rule Level Policy Change
4960MediumIPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.Ipsec Driver
4961MediumIPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.Ipsec Driver
4962MediumIPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.Ipsec Driver
4963MediumIPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.Ipsec Driver
4964HighSpecial groups have been assigned to a new logon.Special Logon
4965MediumIPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.Ipsec Driver
4976MediumDuring Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.Ipsec Main Mode
4977MediumDuring Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.ipsec quick mode
4978MediumDuring Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.Ipsec Extended Mode
4979LowIPsec Main Mode and Extended Mode security associations were established.Ipsec Extended Mode
4980LowIPsec Main Mode and Extended Mode security associations were established.Ipsec Extended Mode
4981LowIPsec Main Mode and Extended Mode security associations were established.Ipsec Extended Mode
4982LowIPsec Main Mode and Extended Mode security associations were established.Ipsec Extended Mode
4983MediumAn IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.Ipsec Extended Mode
4984MediumAn IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.Ipsec Extended Mode
4985LowThe state of a transaction has changed.File System
5024LowThe Windows Firewall Service has started successfully.
5025LowThe Windows Firewall Service has been stopped.
5027MediumThe Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
5028MediumThe Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
5029MediumThe Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
5030MediumThe Windows Firewall Service failed to start.
5031LowThe Windows Firewall Service blocked an application from accepting incoming connections on the network.Filtering Platform Connection
5032LowWindows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
5033LowThe Windows Firewall Driver has started successfully.
5034LowThe Windows Firewall Driver has been stopped.
5035MediumThe Windows Firewall Driver failed to start.
5037MediumThe Windows Firewall Driver detected critical runtime error. Terminating.
5038MediumCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.System Integrity
5039LowA registry key was virtualized.Registry
5040LowA change has been made to IPsec settings. An Authentication Set was added.
5041LowA change has been made to IPsec settings. An Authentication Set was modified.
5042LowA change has been made to IPsec settings. An Authentication Set was deleted.
5043LowA change has been made to IPsec settings. A Connection Security Rule was added.
5044LowA change has been made to IPsec settings. A Connection Security Rule was modified.
5045LowA change has been made to IPsec settings. A Connection Security Rule was deleted.
5046LowA change has been made to IPsec settings. A Crypto Set was added.
5047LowA change has been made to IPsec settings. A Crypto Set was modified.
5048LowA change has been made to IPsec settings. A Crypto Set was deleted.
5049LowAn IPsec Security Association was deleted.Ipsec Main Mode
5050LowAn attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False)
5051LowA file was virtualized.File System
5056LowA cryptographic self test was performed.System Integrity
5057LowA cryptographic primitive operation failed.System Integrity
5058LowKey file operation.
5059LowKey migration operation.
5060LowVerification operation failed.System Integrity
5061LowCryptographic operation.System Integrity
5062LowA kernel-mode cryptographic self test was performed.System Integrity
5063LowA cryptographic provider operation was attempted.Other Policy Change Events
5064LowA cryptographic context operation was attempted.Other Policy Change Events
5065LowA cryptographic context modification was attempted.Other Policy Change Events
5066LowA cryptographic function operation was attempted.Other Policy Change Events
5067LowA cryptographic function modification was attempted.Other Policy Change Events
5068LowA cryptographic function provider operation was attempted.Other Policy Change Events
5069LowA cryptographic function property operation was attempted.Other Policy Change Events
5070LowA cryptographic function property modification was attempted.Other Policy Change Events
5120MediumOCSP Responder Service Started
5121MediumOCSP Responder Service Stopped
5122MediumA configuration entry changed in OCSP Responder Service
5123MediumA configuration entry changed in OCSP Responder Service
5124HighA security setting was updated on the OCSP Responder Service
5125LowA request was submitted to the OCSP Responder Service
5126LowSigning Certificate was automatically updated by the OCSP Responder Service
5127LowThe OCSP Revocation Provider successfully updated the revocation information
5136LowA directory service object was modified.Directry Service Changes
5137LowA directory service object was created.Directry Service Changes
5138LowA directory service object was undeleted.Directry Service Changes
5139LowA directory service object was moved.Directry Service Changes
5140LowA network share object was accessed.File Share
5141LowA directory service object was deleted.Directry Service Changes
5152LowThe Windows Filtering Platform blocked a packet.Filtering Platform Packet Drop
5153LowA more restrictive Windows Filtering Platform filter has blocked a packet.Filtering Platform Packet Drop
5154LowThe Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.Detailed File Share
5155LowThe Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.Filtering Platform Connection
5156LowThe Windows Filtering Platform has allowed a connection.Filtering Platform Connection
5157LowThe Windows Filtering Platform has blocked a connection.Filtering Platform Connection
5158LowThe Windows Filtering Platform has permitted a bind to a local port.Filtering Platform Connection
5159LowThe Windows Filtering Platform has blocked a bind to a local port.Filtering Platform Connection
5376MediumCredential Manager credentials were backed up.User Account Management
5377MediumCredential Manager credentials were restored from a backup.User Account Management
5378LowThe requested credentials delegation was disallowed by policy.Other Account Logon Events
5440LowThe following callout was present when the Windows Filtering Platform Base Filtering Engine started.
5441LowThe following filter was present when the Windows Filtering Platform Base Filtering Engine started.
5442LowThe following provider was present when the Windows Filtering Platform Base Filtering Engine started.
5443LowThe following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
5444LowThe following sublayer was present when the Windows Filtering Platform Base Filtering Engine started.
5446LowA Windows Filtering Platform callout has been changed.
5447LowA Windows Filtering Platform filter has been changed.Other Policy Change Events
5448LowA Windows Filtering Platform provider has been changed.
5449LowA Windows Filtering Platform provider context has been changed.
5450LowA Windows Filtering Platform sublayer has been changed.
5451LowAn IPsec Quick Mode security association was established.ipsec quick mode
5452LowAn IPsec Quick Mode security association ended.ipsec quick mode
5453MediumAn IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.Ipsec Main Mode
5456LowPAStore Engine applied Active Directory storage IPsec policy on the computer.
5457LowPAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
5458LowPAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
5459LowPAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
5460LowPAStore Engine applied local registry storage IPsec policy on the computer.
5461LowPAStore Engine failed to apply local registry storage IPsec policy on the computer.
5462LowPAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
5463LowPAStore Engine polled for changes to the active IPsec policy and detected no changes.
5464LowPAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
5465LowPAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
5466LowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
5467LowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
5468LowPAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
5471LowPAStore Engine loaded local storage IPsec policy on the computer.
5472LowPAStore Engine failed to load local storage IPsec policy on the computer.
5473LowPAStore Engine loaded directory storage IPsec policy on the computer.
5474LowPAStore Engine failed to load directory storage IPsec policy on the computer.
5477LowPAStore Engine failed to add quick mode filter.
5478LowIPsec Services has started successfully.Ipsec Driver
5479LowIPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.Ipsec Driver
5480MediumIPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.Ipsec Driver
5483MediumIPsec Services failed to initialize RPC server. IPsec Services could not be started.Ipsec Driver
5484MediumIPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.Ipsec Driver
5485MediumIPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.Ipsec Driver
5632LowA request was made to authenticate to a wireless network.Other Account Logon Events
5633LowA request was made to authenticate to a wired network.Other Account Logon Events
5712LowA Remote Procedure Call (RPC) was attempted.RPC Events
5827MediumThe Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.
5828MediumThe Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.
5888LowAn object in the COM+ Catalog was modified.Other Object Access Events
5889LowAn object was deleted from the COM+ Catalog.Other Object Access Events
5890LowAn object was added to the COM+ Catalog.Other Object Access Events
6008LowThe previous system shutdown was unexpected
6144LowSecurity policy in the Group Policy objects has been applied successfully.Other Policy Change Events
6145MediumOne or more errors occurred while processing security policy in the Group Policy objects.Other Policy Change Events
6272LowNetwork Policy Server granted access to a user.Network Policy Server
6273MediumNetwork Policy Server denied access to a user.Network Policy Server
6274MediumNetwork Policy Server discarded the request for a user.Network Policy Server
6275MediumNetwork Policy Server discarded the accounting request for a user.Network Policy Server
6276MediumNetwork Policy Server quarantined a user.Network Policy Server
6277MediumNetwork Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.Network Policy Server
6278MediumNetwork Policy Server granted full access to a user because the host met the defined health policy.Network Policy Server
6279MediumNetwork Policy Server locked the user account due to repeated failed authentication attempts.Network Policy Server
6280MediumNetwork Policy Server unlocked the user account.Network Policy Server
24577LowEncryption of volume started
24578LowEncryption of volume stopped
24579LowEncryption of volume completed
24580LowDecryption of volume started
24581LowDecryption of volume stopped
24582LowDecryption of volume completed
24583LowConversion worker thread for volume started
24584LowConversion worker thread for volume temporarily stopped
24586MediumAn error was encountered converting volume
24588LowThe conversion operation on volume %2 encountered a bad sector error. Please validate the data on this volume
24592MediumAn attempt to automatically restart conversion on volume %2 failed.
24593MediumMetadata write: Volume %2 returning errors while trying to modify metadata. If failures continue, decrypt volume
24594MediumMetadata rebuild: An attempt to write a copy of metadata on volume %2 failed and may appear as disk corruption. If failures continue, decrypt volume.
24595LowVolume %2 contains bad clusters. These clusters will be skipped during conversion.
24621LowInitial state check: Rolling volume conversion transaction on %2.
-MediumGeneral account database changed
-MediumQuality of Service Policy changed
N/AMedium to HighPossible denial-of-service (DoS) attack
N/ALowA handle to an object was requested.
N/ALowObject open for delete
N/ALowUser Account Type Changed
N/ALowIPsec policy agent started
N/ALowIPsec policy agent disabled
N/ALowIPsec policy agent
N/ALowIPsec policy agent encountered a potential serious failure

Refer to the Active Directory Audit Checklist to learn about which audit policy settings to enable. Without the correct policy settings enabled the Active Directory logs will not be generated.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

Leave a Comment