Event Details
User Activity->Policy Changes->InTrust Plug-in for Active Directory->Protected Change Attempts->EventID 64 - Prevention of Group Policy Template modification.
EventID 64 - Prevention of Group Policy Template modification.
 Sample: 
Event Type:     Warning
Event Source:   ITAD GPO Changes
Event Category: None
Event ID:       64
Date:           10/29/2009
Time:           07:42:04
User:           RESEARCH\CBrown
Computer:       DC1
Description:    
ChangeAuditor for Active Directory prevented modification of Group Policy Template.
	Client Computer : 10.0.0.1
	GPO Name : Employees
	GPO GUID : {693C5182-0240-4289-9F7F-CF41AFC48C4D}
	Setting Name : Content of "C:\WINDOWS\SYSVOL\DOMAIN\POLICIES\{693C5182-0240-4289-9F7F-CF41AFC48C4D}\GPT.INI"
	Old Value : N/A
	New Value : N/A
	File Path : C:\WINDOWS\SYSVOL\DOMAIN\POLICIES\{693C5182-0240-4289-9F7F-CF41AFC48C4D}\GPT.INI
	Action : Modify
	Request ID : {B40A3A65-B746-48FD-8B98-772B2662C00A}
===========================
Description template:
===========================
ChangeAuditor for Active Directory prevented modification of Group Policy Template.
   Client Computer : %9
   GPO Name : %1
   GPO GUID : %2
   Setting Name : %3
   Old Value : %4
   New Value : %5
   File Path : %6
   Action : %7
   Request ID : %8
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust for AD
Filtering Field Equals to Value
Source ITAD GPO Changes
EventId 64
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. User RESEARCH\Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Attempt to modify Group Policy Object" Attempt to modify Group Policy Object
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Client Computer 10.0.0.1
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain -
WhereDomain -
Policy Name The name of the affected policy. Setting Name Content of "C:\WINDOWS\SYSVOL\DOMAIN\POLICIES\{693C5182-0240-4289-9F7F-CF41AFC48C4D}\GPT.INI"
GPO Name The name of GPO where some policy was changed GPO Name Employees
Value Before The policy value before the change Old Value N/A
Value After The policy value after the change New Value N/A
Result Successful or Failed "Protected" Protected
Comments
You must be logged in to comment