Event-o-Pedia EventID 46 - Prevention of AD object security descriptor modification.

	Event Details
	User Activity->Permission Changes->Active Directory Permission Changes->InTrust Plug-in for Active Directory->Common Active Directory Permission Changes->Protected change attempts->EventID 46 - Prevention of AD object security descriptor modification.

EventID 46 - Prevention of AD object security descriptor modification.

Linked Event:

EventID 46 - Prevention of AD object security descriptor modification.

Sample:

Event Type:     Warning
Event Source:   ITAD Directory Changes
Event Category: None
Event ID:       46
Date:           10/29/2009
Time:           07:09:07
User:           RESEARCH\CBrown
Computer:       DC1
Description:    
ChangeAuditor for Active Directory prevented modification of AD object security descriptor.
	Client Computer : 10.0.0.1
	Object DN : CN={CABC510B-5D32-4202-A000-36ED89222065},CN=Policies,CN=System,DC=research,DC=corp
	Object Class : groupPolicyContainer
	Object GUID : {5ADBBF6C-CC17-4C69-8E3E-A01900C77AAB}
	Action : ACE Addition
	Type : Permission Allow
	Trustee : CREATOR OWNER
	Trustee Type : Well Known Group
	Inherited : No
	Apply To : Child objects only
	Old Access Type : <not set>
	New Access Type : Create All Child Objects, Delete All Child Objects, 
	List Child Objects, All Validated Writes, Read All Properties, Write All Properties, 
	Delete Subtree, List Contents, Delete, Read Permissions, Modify Permissions, Modify Owner
	Request ID : {CE149FF1-60EC-45C2-849B-64A41779CB81}
===========================
Description template:
===========================
ChangeAuditor for Active Directory prevented modification of AD object security descriptor.
   Client Computer : %13
   Object DN : %1
   Object Class : %2
   Object GUID : %3
   Action : %4
   Type : %5
   Trustee : %6
   Trustee Type : %7
   Inherited : %8
   Apply To : %9
   Old Access Type : %10
   New Access Type : %11
   Request ID : %12

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

InTrust for AD

Filtering Field	Equals to Value
Source	ITAD Directory Changes
EventId	46

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	1/1/2000
Who	Account or user name under which the activity occured.	User	SomeUser
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Attempt to Change AD Object Permissions"	Attempt to Change AD Object Permissions
Where	The name of the workstation/server where the activity was logged.	Computer	10.10.10.10
Where From	The name of the workstation/server where the activity was initiated from.	Client Computer	10.0.0.1
Severity	Specify the seriousness of the event.	"Medium"	Medium
WhoDomain		-
WhereDomain		-
Object Type	The type of object whose permissions were changed (e.g. AD object, file, registry, etc.)	Object Class	groupPolicyContainer
Object Name	The name of the object whose permissions were changed (e.g. full system path to the file or folder)	Object DN	CN={CABC510B-5D32-4202-A000-36ED89222065},CN=Policies,CN=System,DC=research,DC=corp
To Whom	Account whose access permissions to the object were changed	Trustee	CREATOR OWNER
Result	Successful or Failed	"Protected"	Protected