System32
Events
Scripts
Codes
GeoIP
Tools
Audit Category
Account Management
(35)
DS Access
(17)
Account Logon
(5)
Policy Change
(4)
Logon/Logoff
(3)
Audit Subcategory
Application Group Management
(10)
Distribution Group Management
(10)
Detailed Directory Service Replication
(7)
Security Group Management
(6)
Directory Service Changes
(5)
Authentication Policy Change
(4)
User Account Management
(4)
Computer Account Management
(3)
Directory Service Access
(3)
Credential Validation
(2)
Directory Service Replication
(2)
Kerberos Authentication Service
(2)
Kerberos Service Ticket Operations
(2)
Other Logon/Logoff Events
(2)
Logon
(1)
Other Account Management Events
(1)
SAM
(1)
Operating Systems
Windows 2016
(64)
Windows 2008
(63)
Windows 2008 R2
(63)
Windows 2012 R2
(63)
Windows 2012
(62)
Windows 2019
(57)
Windows 10
(40)
Windows 7
(39)
Windows 8
(39)
Windows 8.1
(39)
Windows Vista
(38)
Tags
Domain Controller
(64)
Audit Success
(30)
Audit Failure
(15)
ID
Event Description
4649
A replay attack was detected
4661
A handle to an object was requested
4662
An operation was performed on an object
4675
SIDs were filtered
4706
A new trust was created to a domain
4707
A trust to a domain was removed
4713
Kerberos policy was changed
4716
Trusted domain information was modified
4722
A user account was enabled
4741
A computer account was created
4742
A computer account was changed
4743
A computer account was deleted
4749
A security-disabled global group was created
4750
A security-disabled global group was changed
4751
A member was added to a security-disabled global group
4752
A member was removed from a security-disabled global group
4753
A security-disabled global group was deleted
4754
A security-enabled universal group was created
4755
A security-enabled universal group was changed
4756
A member was added to a security-enabled universal group
4757
A member was removed from a security-enabled universal group
4758
A security-enabled universal group was deleted
4759
A security-disabled universal group was created
4760
A security-disabled universal group was changed
4761
A member was added to a security-disabled universal group
4762
A member was removed from a security-disabled universal group
4763
A security-disabled universal group was deleted
4764
A group’s type was changed
4765
SID History was added to an account
4766
An attempt to add SID History to an account failed
4768
This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
4769
A Kerberos service ticket was requested
4770
A Kerberos service ticket was renewed
4771
Kerberos pre-authentication failed
4774
An account was mapped for logon
4775
An account could not be mapped for logon
4780
The ACL was set on accounts which are members of administrators groups
4782
The password hash an account was accessed
4783
A basic application group was created
4784
A basic application group was changed
4785
A member was added to a basic application group
4786
A member was removed from a basic application group
4787
A non-member was added to a basic application group
4788
A non-member was removed from a basic application group
4789
A basic application group was deleted
4790
An LDAP query group was created
4791
A basic application group was changed
4792
An LDAP query group was deleted
4794
An attempt was made to set the Directory Services Restore Mode administrator password
4928
An Active Directory replica source naming context was established
4929
An Active Directory replica source naming context was removed
4930
An Active Directory replica source naming context was modified
4931
An Active Directory replica destination naming context was modified
4932
Synchronization of a replica of an Active Directory naming context has begun
4933
Synchronization of a replica of an Active Directory naming context has ended
4934
Attributes of an Active Directory object were replicated
4935
Replication failure begins
4936
Replication failure ends
5136
A directory service object was modified
5137
A directory service object was created
5138
A directory service object was undeleted.
5139
A directory service object was moved.
5141
A directory service object was deleted.
5169
A directory service object was modified.