Event banner
Event details
Microsoft
- Wayne_McIntyreahh, I understand now. That is great feedback. There are no changes to these events, however you could combine knowing the object and then reviewing the metadata of the object to find which attributes have changed. I think part of the problem with the event is the number of attributes will be of variable length, so I could modify 1 attribute or 40 attributes on the same object in the same modification call. Certainly, doable though.
thanks Wayne 🙂 , appreciate it.. also taking full advantage of getting you all AD experts from MS here 🙂 , here is a fun issue too , even though assumption is that schema changes dont produce 5136 events, sometimes they do , its very intermittent and ive been able to produce about 2 events in 20 attempts.
A directory service object was created.
Subject: Security ID: NARASUB\administrator
Account Name: Administrator
Account Domain: NARASUB
Logon ID: 0x1E86302
Directory Service: Name: narasub.com
Type: Active Directory Domain Services Object: DN: CN=gabbf,CN=Schema,CN=Configuration,DC=narasub,DC=com GUID: CN=gabbf,CN=Schema,CN=Configuration,DC=narasub,DC=com Class: attributeSchema Operation: Correlation ID: {2b0c88c4-d488-4ff1-bcca-ae3ba57361d0} Application Correlation ID: -
- Wayne_McIntyreThat is interesting. The audit events use a cache and then a worker routine to flush and write out the audit events in this cache. At the very least, the behavior should be consistent and I am not sure why sometimes the audit is getting pushed into the cache and other times not. Something we will have to debug and figure out. I will create a work item for this. Thanks for reporting it.