Event Details
Operating System->Microsoft Windows->Application logs->Quest->Change Auditor->Change Auditor for Active Directory->ITAD Directory Changes->EventID 46 - Prevention of AD object security descriptor modification.
EventID 46 - Prevention of AD object security descriptor modification.
 Sample: 
Event Type:     Warning
Event Source:   ITAD Directory Changes
Event Category: None
Event ID:       46
Date:           10/29/2009
Time:           07:09:07
User:           RESEARCH\CBrown
Computer:       DC1
Description:    
ChangeAuditor for Active Directory prevented modification of AD object security descriptor.
	Client Computer : 10.0.0.1
	Object DN : CN={CABC510B-5D32-4202-A000-36ED89222065},CN=Policies,CN=System,DC=research,DC=corp
	Object Class : groupPolicyContainer
	Object GUID : {5ADBBF6C-CC17-4C69-8E3E-A01900C77AAB}
	Action : ACE Addition
	Type : Permission Allow
	Trustee : CREATOR OWNER
	Trustee Type : Well Known Group
	Inherited : No
	Apply To : Child objects only
	Old Access Type : <not set>
	New Access Type : Create All Child Objects, Delete All Child Objects, 
	List Child Objects, All Validated Writes, Read All Properties, Write All Properties, 
	Delete Subtree, List Contents, Delete, Read Permissions, Modify Permissions, Modify Owner
	Request ID : {CE149FF1-60EC-45C2-849B-64A41779CB81}
===========================
Description template:
===========================
ChangeAuditor for Active Directory prevented modification of AD object security descriptor.
   Client Computer : %13
   Object DN : %1
   Object Class : %2
   Object GUID : %3
   Action : %4
   Type : %5
   Trustee : %6
   Trustee Type : %7
   Inherited : %8
   Apply To : %9
   Old Access Type : %10
   New Access Type : %11
   Request ID : %12
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust for AD
Filtering Field Equals to Value
Source ITAD Directory Changes
EventId 46
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category AttestationReview
Whom The object name to which the activity was applied. InsertionString1
Client Computer InsertionString13 10.0.0.1
Request ID InsertionString12 {CE149FF1-60EC-45C2-849B-64A41779CB81}
Object DN InsertionString1 CN={CABC510B-5D32-4202-A000-36ED89222065},CN=Policies,CN=System,DC=research,DC=corp
Object Class InsertionString2 groupPolicyContainer
Object GUID InsertionString3 {5ADBBF6C-CC17-4C69-8E3E-A01900C77AAB}
Action InsertionString4 ACE Addition
Trustee InsertionString6 CREATOR OWNER
Trustee Type InsertionString7 Well Known Group
Inherited InsertionString8 No
Applied to InsertionString9 Child objects only
Old Access Type InsertionString10 <not set>
New Access Type InsertionString11 Create All Child Objects, Delete All Child Objects, List Child Objects, All Validated Writes, Read All Properties, Write All Properties, Delete Subtree, List Contents, Delete, Read Permissions, Modify Permissions, Modify Owner
Permission Type InsertionString5 Permission Allow
Comments
You must be logged in to comment