Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 617 - Kerberos Policy Changed [Win 2000 / 2003]
EventID 617 - Kerberos Policy Changed [Win 2000 / 2003]

Indicates that a change to the GPO named "Kerberos Policy" was successfully applied on the specified computer.

Note:
This event is logged only on Domain Controllers.
On Windows 2000 this event gets logged each time the Domain Controller applies the policy.
On Windows 2003 this problem has been corrected the event is only logged when an actual change to the policy has been detected.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2008
 Sample:
Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change
Event ID:       617
Date:           11/13/2009
Time:           11:32:55
User:           NT AUTHORITY\SYSTEM
Computer:       DC1
Description:    
Kerberos Policy Changed:
Changed By:
	User Name:	DC1$
	Domain Name:	LOGISTICS
	Logon ID:	(0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
KerOpts: 0x0 (0x80);  KerLogoff: 0x10544800000000 (0xfca7800000000);  

Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows 2003
Category Policy Change
Source Security
EventId 617
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
User Name Account name of the user that made the change. As Kerberos policy is applied through Group Policy Objects (not directly) this field will always reflect the name of the computer where the event was logged. InsertionString1
Domain Name Domain name of the user in the User Name field InsertionString2
Logon ID ID of the logon session of the user that made the change (see User Name field). Useful for tracking other user activity during the same logon session. InsertionString3
Changes made '--' means no changes, otherwise each change is shown in round brackets InsertionString4
Comments
You must be logged in to comment