首页 > 代码库 > About AcitveDirectory EventLog

About AcitveDirectory EventLog


 参考微软文档整理的常用EVENTID:

  • Account Logon 
  • Account Management 
  • Policy Change 

 

 

Event ID

Event message

分類

類別

4670

Permissions on an object were changed.

Audit Other Policy Change Events

 Policy Change

4704

A user right was assigned.

Audit Authorization Policy Change

 Policy Change

4705

A user right was removed.

Audit Authorization Policy Change

 Policy Change

4706

A new trust was created to a domain.

Audit Authorization Policy Change

 Policy Change

4707

A trust to a domain was removed.

Audit Authorization Policy Change

 Policy Change

4709

IPsec Services was started.

Audit Filtering Platform Policy Change

 Policy Change

4710

IPsec Services was disabled.

Audit Filtering Platform Policy Change

 Policy Change

4711

May contain any one of the following:PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer. 

Audit Filtering Platform Policy Change

 Policy Change

4712

IPsec Services encountered a potentially serious failure.

Audit Filtering Platform Policy Change

 Policy Change

4713

Kerberos policy was changed.

Audit Authentication Policy Change

 Policy Change

4714

Encrypted data recovery policy was changed.

Audit Authorization Policy Change

 Policy Change

4715

The audit policy (SACL) on an object was changed.

Audit Audit Policy Change

 Policy Change

4716

Trusted domain information was modified.

Audit Authentication Policy Change

 Policy Change

4717

System security access was granted to an account.

Audit Authentication Policy Change

 Policy Change

4718

System security access was removed from an account.

Audit Authentication Policy Change

 Policy Change

4719

System audit policy was changed.

Audit Audit Policy Change

 Policy Change

4720

A user account was created.

Audit User

Account Management

4722

A user account was enabled.

Audit User

Account Management

4723

An attempt was made to change an account‘s password.

Audit User

Account Management

4724

An attempt was made to reset an account‘s password.

Audit User

Account Management

4725

A user account was disabled.

Audit User

Account Management

4726

A user account was deleted.

Audit User

Account Management

4727

A security-enabled global group was created.

Audit Security Group

Account Management

4728

A member was added to a security-enabled global group.

Audit Security Group

Account Management

4729

A member was removed from a security-enabled global group.

Audit Security Group

Account Management

4730

A security-enabled global group was deleted.

Audit Security Group

Account Management

4731

A security-enabled local group was created.

Audit Security Group

Account Management

4732

A member was added to a security-enabled local group.

Audit Security Group

Account Management

4733

A member was removed from a security-enabled local group.

Audit Security Group

Account Management

4734

A security-enabled local group was deleted.

Audit Security Group

Account Management

4735

A security-enabled local group was changed.

Audit Security Group

Account Management

4737

A security-enabled global group was changed.

Audit Security Group

Account Management

4738

A user account was changed.

Audit User

Account Management

4739

Domain Policy was changed.

Audit Authentication Policy Change

 Policy Change

4740

A user account was locked out.

Audit User

Account Management

4741

A computer account was created.

Audit Computer

Account Management

4742

A computer account was changed.

Audit Computer

Account Management

4743

A computer account was deleted.

Audit Computer

Account Management

4744

A security-disabled local group was created.

Audit Distribution Group

Account Management

4745

A security-disabled local group was changed.

Audit Distribution Group

Account Management

4746

A member was added to a security-disabled local group.

Audit Distribution Group

Account Management

4747

A member was removed from a security-disabled local group.

Audit Distribution Group

Account Management

4748

A security-disabled local group was deleted.

Audit Distribution Group

Account Management

4749

A security-disabled global group was created.

Audit Distribution Group

Account Management

4750

A security-disabled global group was changed.

Audit Distribution Group

Account Management

4751

A member was added to a security-disabled global group.

Audit Distribution Group

Account Management

4752

A member was removed from a security-disabled global group.

Audit Distribution Group

Account Management

4753

A security-disabled global group was deleted.

Audit Distribution Group

Account Management

4754

A security-enabled universal group was created.

Audit Security Group

Account Management

4755

A security-enabled universal group was changed.

Audit Security Group

Account Management

4756

A member was added to a security-enabled universal group.

Audit Security Group

Account Management

4757

A member was removed from a security-enabled universal group.

Audit Security Group

Account Management

4758

A security-enabled universal group was deleted.

Audit Security Group

Account Management

4759

A security-disabled universal group was created.

Audit Distribution Group

Account Management

4760

A security-disabled universal group was changed.

Audit Distribution Group

Account Management

4761

A member was added to a security-disabled universal group.

Audit Distribution Group

Account Management

4762

A member was removed from a security-disabled universal group.

Audit Distribution Group

Account Management

4764

A group‘s type was changed.

Audit Security Group

Account Management

4765

SID History was added to an account.

Audit User

Account Management

4766

An attempt to add SID History to an account failed.

Audit User

Account Management

4767

A user account was unlocked.

Audit User

Account Management

4780

The ACL was set on accounts which are members of administrators groups.

Audit User

Account Management

4781

The name of an account was changed:

Audit User

Account Management

4782

The password hash for an account was accessed.

Audit Other Account

Account Management

4783

A basic application group was created.

Audit Application Group

Account Management

4784

A basic application group was changed.

Audit Application Group

Account Management

4785

A member was added to a basic application group.

Audit Application Group

Account Management

4786

A member was removed from a basic application group.

Audit Application Group

Account Management

4787

A non-member was added to a basic application group.

Audit Application Group

Account Management

4788

A non-member was removed from a basic application group.

Audit Application Group

Account Management

4789

A basic application group was deleted.

Audit Application Group

Account Management

4790

An LDAP query group was created.

Audit Application Group

Account Management

4793

The Password Policy Checking API was called.

Audit Other Account

Account Management

4794

An attempt was made to set the Directory Services Restore Mode.

Audit User

Account Management

4817

Auditing settings on an object were changed.

Audit Audit Policy Change

 Policy Change

4864

A namespace collision was detected.

Audit Authentication Policy Change

 Policy Change

4865

A trusted forest information entry was added.

Audit Authentication Policy Change

 Policy Change

4866

A trusted forest information entry was removed.

Audit Authentication Policy Change

 Policy Change

4867

A trusted forest information entry was modified.

Audit Authentication Policy Change

 Policy Change

4902

The Per-user audit policy table was created.

Audit Audit Policy Change

 Policy Change

4904

An attempt was made to register a security event source.

Audit Audit Policy Change

 Policy Change

4905

An attempt was made to unregister a security event source.

Audit Audit Policy Change

 Policy Change

4906

The CrashOnAuditFail value has changed.

Audit Audit Policy Change

 Policy Change

4907

Auditing settings on object were changed.

Audit Audit Policy Change

 Policy Change

4908

Special Groups Logon table modified.

Audit Audit Policy Change

 Policy Change

4909

The local policy settings for the TBS were changed.

Audit Other Policy Change Events

 Policy Change

4910

The group policy settings for the TBS were changed.

Audit Other Policy Change Events

 Policy Change

4912

Per User Audit Policy was changed.

Audit Audit Policy Change

 Policy Change

4944

The following policy was active when the Windows Firewall started.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4945

A rule was listed when the Windows Firewall started.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4946

A change has been made to Windows Firewall exception list. A rule was added.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4947

A change has been made to Windows Firewall exception list. A rule was modified.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4949

Windows Firewall settings were restored to the default values.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4950

A Windows Firewall setting has changed.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4951

A rule has been ignored because its major version number was not recognized by Windows Firewall.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4952

Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4953

A rule has been ignored by Windows Firewall because it could not parse the rule.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4954

Windows Firewall Group Policy settings have changed. The new settings have been applied.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4956

Windows Firewall has changed the active profile.

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4957

Windows Firewall did not apply the following rule:

Audit MPSSVC Rule-Level Policy Change

 Policy Change

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

Audit MPSSVC Rule-Level Policy Change

 Policy Change

5040

A change has been made to IPsec settings. An Authentication Set was added.

Audit Filtering Platform Policy Change

 Policy Change

5041

A change has been made to IPsec settings. An Authentication Set was modified.

Audit Filtering Platform Policy Change

 Policy Change

5042

A change has been made to IPsec settings. An Authentication Set was deleted.

Audit Filtering Platform Policy Change

 Policy Change

5043

A change has been made to IPsec settings. A Connection Security Rule was added.

Audit Filtering Platform Policy Change

 Policy Change

5044

A change has been made to IPsec settings. A Connection Security Rule was modified.

Audit Filtering Platform Policy Change

 Policy Change

5045

A change has been made to IPsec settings. A Connection Security Rule was deleted.

Audit Filtering Platform Policy Change

 Policy Change

5046

A change has been made to IPsec settings. A Crypto Set was added.

Audit Filtering Platform Policy Change

 Policy Change

5047

A change has been made to IPsec settings. A Crypto Set was modified.

Audit Filtering Platform Policy Change

 Policy Change

5048

A change has been made to IPsec settings. A Crypto Set was deleted.

Audit Filtering Platform Policy Change

 Policy Change

5063

A cryptographic provider operation was attempted.

Audit Other Policy Change Events

 Policy Change

5064

A cryptographic context operation was attempted.

Audit Other Policy Change Events

 Policy Change

5065

A cryptographic context modification was attempted.

Audit Other Policy Change Events

 Policy Change

5066

A cryptographic function operation was attempted.

Audit Other Policy Change Events

 Policy Change

5067

A cryptographic function modification was attempted.

Audit Other Policy Change Events

 Policy Change

5068

A cryptographic function provider operation was attempted.

Audit Other Policy Change Events

 Policy Change

5069

A cryptographic function property operation was attempted.

Audit Other Policy Change Events

 Policy Change

5070

A cryptographic function property modification was attempted.

Audit Other Policy Change Events

 Policy Change

5376

Credential Manager credentials were backed up.

Audit User

Account Management

5377

Credential Manager credentials were restored from a backup.

Audit User

Account Management

5440

The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

Audit Filtering Platform Policy Change

 Policy Change

5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

Audit Filtering Platform Policy Change

 Policy Change

5442

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

Audit Filtering Platform Policy Change

 Policy Change

5443

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

Audit Filtering Platform Policy Change

 Policy Change

5444

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

Audit Filtering Platform Policy Change

 Policy Change

5446

A Windows Filtering Platform callout has been changed.

Audit Filtering Platform Policy Change

 Policy Change

5447

A Windows Filtering Platform filter has been changed.

Audit Other Policy Change Events

 Policy Change

5448

A Windows Filtering Platform provider has been changed.

Audit Filtering Platform Policy Change

 Policy Change

5449

A Windows Filtering Platform provider context has been changed.

Audit Filtering Platform Policy Change

 Policy Change

5450

A Windows Filtering Platform sub-layer has been changed.

Audit Filtering Platform Policy Change

 Policy Change

5456

PAStore Engine applied Active Directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5457

PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5458

PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5459

PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5460

PAStore Engine applied local registry storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5461

PAStore Engine failed to apply local registry storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5462

PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.

Audit Filtering Platform Policy Change

 Policy Change

5463

PAStore Engine polled for changes to the active IPsec policy and detected no changes.

Audit Filtering Platform Policy Change

 Policy Change

5464

PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.

Audit Filtering Platform Policy Change

 Policy Change

5465

PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.

Audit Filtering Platform Policy Change

 Policy Change

5466

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.

Audit Filtering Platform Policy Change

 Policy Change

5467

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.

Audit Filtering Platform Policy Change

 Policy Change

5468

PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.

Audit Filtering Platform Policy Change

 Policy Change

5471

PAStore Engine loaded local storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5472

PAStore Engine failed to load local storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5473

PAStore Engine loaded directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5474

PAStore Engine failed to load directory storage IPsec policy on the computer.

Audit Filtering Platform Policy Change

 Policy Change

5477

PAStore Engine failed to add quick mode filter.

Audit Filtering Platform Policy Change

 Policy Change

6144

Security policy in the group policy objects has been applied successfully.

Audit Other Policy Change Events

 Policy Change

6145

One or more errors occurred while processing security policy in the group policy objects.

Audit Other Policy Change Events

 Policy Change

 

 

About AcitveDirectory EventLog