Event ID 5169

A directory service object was modified. 

A directory service object was modified.

Subject:
    Security ID:        %3
    Account Name:       %4
    Account Domain:     %5
    Logon ID:           %6

Directory Service:
    Name:   %7
    Type:   %8

Object:
    DN:     %9
    GUID:   %10
    Class:  %11

Attribute:
    LDAP Display Name:  %12
    Syntax (OID):       %13
    Value:              %14
    Expiration Time:    %15

Operation:
    Type:                       %16
    Correlation ID:             %1
    Application Correlation ID: %2


This event documents modifications to AD objects, identifying the object, user, attribute modified, the new value of the attribute if applicable and the operation performed.

Auditing:     Conditional

Use it for sensitive groups (Domain Admins), Service Accounts, and Root OUs.


Volume:     Low

The expected volume for this event is low in typical environments utilizing targeted SACLs.




Name Field Insertion String OS Example
Correlation ID OpCorrelationID %1 Any {02647639-8626-...}
Application Correlation ID AppCorrelationID %2 Any -
Security ID SubjectUserSid %3 Any S-1-5-21
Account Name SubjectUserName %4 Any dadmin
Account Domain SubjectDomainName %5 Any CONTOSO
Logon ID SubjectLogonId %6 Any 0x32004
Directory Service Name DSName %7 Any contoso.local
Directory Service Type DSType %8 Any %%676
Object DN ObjectDN %9 Any CN=Jeff Smith,OU=Sales...
Object GUID ObjectGUID %10 Any {4f3a1b2c-8d9e-...}
Object Class ObjectClass %11 Any user
LDAP Display Name AttributeLDAPDisplayName %12 Any description
Syntax (OID) AttributeSyntaxOID %13 Any 2.5.5.12
Value AttributeValue %14 Any Senior Developer
Senior Developer AttributeValueExpiration %15 Any 0x7FFFF...
Operation Type OperationType %16 Any %%14675

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Directory Service Access"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2016 Windows 2019 Windows 2022 Windows 2025

Tags:
Domain Controller Audit Success Audit Failure
Audit Category:
DS Access

Audit Subcategory:
Directory Service Access

LEFT/RIGHT arrow keys for navigation

Back to List