Event ID: 5138

A directory service object was undeleted.

A directory service object was undeleted.

Subject:
    Security ID:        %3
    Account Name:       %4
    Account Domain:     %5
    Logon ID:       %6

Directory Service:
    Name:   %7
    Type:   %8

Object:
    Old DN: %9
    New DN: %10
    GUID:   %11
    Class:  %12

Operation:
    Correlation ID: %1
    Application Correlation ID: %2

This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the Active Directory Recycle Bin.

This event only generates if the container to which the Active Directory object was restored has a particular entry in its SACL: the “Create” action, auditing for specific classes or objects. An example is the “Create User objects” action.

Auditing: Conditional

Recommended if object-level auditing of Active Directory is required.

Microsoft Documentation

Event ID - 5138

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Directory Service Changes"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows 2008 Windows 2008 R2 Windows 2012 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:

Domain Controller Audit Success

Audit Category:

DS Access

Audit Subcategory:

Directory Service Changes

LEFT/RIGHT arrow keys for navigation

Back to List