Event Details
User Activity->Object Access->Active Directory Object Access->Windows 2008->EventID 5138 - A directory service object was undeleted.
EventID 5138 - A directory service object was undeleted.
 Sample: 
        A directory service object was undeleted.

        Subject:
        Security ID:		%3
        Account Name:		%4
        Account Domain:		%5
        Logon ID:		%6

        Directory Service:
        Name:	%7
        Type:	%8

        Object:
        Old DN:	%9
        New DN:	%10
        GUID:	%11
        Class:	%12

        Operation:
        Correlation ID:	%1
        Application Correlation ID:	%2
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category DS Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Directory Service Changes
EventId 5138
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. - 1/1/2000
Who Account or user name under which the activity occured. - SomeUser
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "AD Object was undeleted" AD Object was undeleted
Where The name of the workstation/server where the activity was logged. - 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. - High
WhoDomain -
WhereDomain -
Result Successful or Failed -
Object Name -
Object Type -
Whom -
Object Old DN Object: Old DN
Object New DN Object: New DN
Object GUID The globally unique identifier of the object, or the DN Object: GUID
Comments
You must be logged in to comment