Folder Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->DS Access
DS Access
This category contrains events of a user accessing an Active Directory object that has its own system access control list (SACL) specified. It allows to track the following changes:
  • Creation, Deletion of objects
  • Changing properties of objects
  • Changing security permissions on objects

Whereas events from the Account Management category allow to track changes only to such objects as Users, Computers and Groups, events from this categroy allow to cover all AD object classes and also track changes down to the level of each individual property of an object.

Note: In order to generate these events auditing should be enabled in Active Directory for the required objects.

Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category DS Access
Source Security
Field Matching
FieldDescriptionSample Value
DateTime Date/Time of event origination in GMT format. 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Security
Type Warning, Information, Error, Success, Failure, etc. Success
User Domain\Account name of user/service/computer initiating event. RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. DC1
EventID Numerical ID of event. Unique within one Event Source. 576
Description The entire unparsed event message. Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) Security
Category A name for a subclass of events within the same Event Source. Logon/Logoff
Object Server The name of the service handling the access request DS
Object Type The class object as specified in the schema for this forest (user, group, organizational unit, etc.) %{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Object Name Distinguished name of the AD object %{8bb7faa0-e9f7-46c1-b22a-c03de2f4b7cb}
Handle ID ID of the object handle granted to the process accessing it 807808
Primary User Name Account name of the user under which the directory service process runs DCCC1$
Primary Domain Domain of the Primary User Name LOGISTICS
Primary Logon ID ID of the logon session of the Primary User Name account (0x0,0x3E7)
Client User Name Name of the user attempting to access the object DCCC1$
Client Domain Domain of the Client User Name LOGISTICS
Client Logon ID ID of the logon session of the Client User Name account (0x0,0x414A12)
Accesses Identifies the permissions requested by user/program to the object. These accesses directly correspond to the object level and property level permissions you see in the access control list of the associated object in Active Directory. Write Property and Read Property accesses will be followed by the actual properties written to or read. DELETE
Properties The list of properties to which access was requested READ_CONTROL