Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Windows security event log library

Gain quick insights into all the Windows security log events audited and analyzed by ADAudit Plus.

EVENT ID

Audit Categories:

S.No Event ID Description
  4768 A Kerberos authentication ticket (TGT) was requested.
This event is generated every time a user's credentials are checked out. It is logged only on domain controllers for both success and failure events.   
  4771 Kerberos pre-authentication failed.
This event is generated every time a request for a TGT fails (e.g., due to a bad or expired password). It is logged only on domain controllers and only for failure events.   
  4720 A user account was created.
This event is generated every time a new user account is created. It is logged on domain controllers, member servers, and workstations.   
  4722 A user account was enabled.
This event is generated every time a user or computer account is enabled. For user objects, it is logged on domain controllers, member servers, and workstations. For computers, it is logged only on domain controllers.   
  4723 An attempt was made to change an account's password.
This event is generated every time a user tries to change their own password. For user objects, it is logged on domain controllers, member servers, and workstations.   
  4724 An attempt was made to reset an account's password.
This event is generated every time a user tries to change the password on another account. For user objects, it is logged on domain controllers, member servers, and workstations.   
  4725 A user account was disabled.
This event is generated every time a user or computer account is disabled. For user objects, it is logged on domain controllers, member servers, and workstations. For computers, it is logged only on domain controllers.   
  4726 A user account was deleted.
This event is generated every time a user object is deleted. It is logged on domain controllers, member servers, and workstations  
  4727 A security-enabled global group was created.
This event is generated every time a user creates a security group with global scope. It is logged only on domain controllers.   
  4728 A member was added to a security-enabled global group.
This event is generated every time a user, computer, or group is added to a security group with global scope. It is logged only on domain controllers.    
  4744 A security-disabled local group was created.
This event is generated every time a user creates a distribution group with domain local scope. It is logged only on domain controllers.  
  4745 A security-disabled local group was changed.
This event is generated every time a user modifies a distribution group with domain local scope. It is logged only on domain controllers.   
  4746 A member was added to a security-disabled local group.
This event is generated every time a user, computer, or group is added to a distribution group with domain local scope. It is logged only on domain controllers.   
  4747 A member was removed from a security-disabled local group.
This event is generated every time a user, computer, or group is removed from a distribution group with domain local scope. It is logged only on domain controllers.  
  4748 A security-disabled local group was deleted.
This event is generated every time a distribution group with domain local scope is deleted. It is logged only on domain controllers.  
  4749 A security-disabled global group was created.
This event is generated every time a user creates a distribution group with global scope. It is logged only on domain controllers.  
  4750 A security-disabled global group was changed.
This event is generated every time a user modifies a distribution group with global scope. It is logged only on domain controllers.  
  4751 A member was added to a security-disabled global group.
This event is generated every time a user, computer, or group is added to a distribution group with global scope. It is logged only on domain controllers.  
  4752 A member was removed from a security-disabled global group.
This event is generated every time a user, computer, or group is removed from a distribution group with global scope. It is logged only on domain controllers.   
  4753 A security-disabled global group was deleted.
This event is generated every time a distribution group with global scope is deleted. It is logged only on domain controllers.  
  4803 The screen saver was dismissed.
This event is generated every time a user dismisses their screen saver. It is logged on domain controllers, member servers, and workstations.   
  4656 A handle to an object was requested.
This event is generated every time specific access is requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. It is logged on domain controllers, member servers, and workstations.   
  4660  An object was deleted.
This event is generated every time an Active Directory object is deleted. It is logged on domain controllers, member servers, and workstations.   
  4663 An attempt was made to access an object.
This event is generated every time an Active Directory object is accessed, and it logs the type of access used. It is logged on domain controllers, member servers, and workstations.   
  4670 Permissions on an object were changed.
This event is generated every time a user modifies the access control list of an Active Directory object. It is logged on domain controllers, member servers, and workstations.   
  4907 Auditing settings on an object were changed.
This event is generated every time the SACL of an object, such as a file or a registry key, is changed. It is logged on domain controllers, member servers, and workstations.  
  560 A handle to an object was requested.
This event is generated every time specific access is requested for an object, such as a file system, kernel, registry object, or a file system object on a removable storage device. It is logged on domain controllers, member servers, and workstations.   
  563 An object was opened for deletion.
This event is generated every time an object is accessed successfully with the intention of deleting it. It is logged on domain controllers, member servers, and workstations.   
  564 An object was deleted.
This event is generated every time an Active Directory object is successfully deleted. It is logged on domain controllers, member servers, and workstations.   
  567 An attempt was made to access an object.
This event is generated every time a user or program attempts to open an Active Directory object. It is logged on domain controllers, member servers, and workstations.  
  4648 A logon was attempted using explicit credentials.
This event is generated every time a process attempts to log on to an account by explicitly specifying that account's credentials. It is logged on domain controllers, member servers, and workstations.   
  6272 Network Policy Server (NPS) granted access to a user.
This event is generated every time NPS grants access to a user. It is logged only on NPS.   
  6273 NPS denied access to a user.
This event is generated every time NPS denies access to a user. It is logged only on NPS.   
  6274 NPS discarded the request for a user.
This event is generated every time NPS discards a user’s request because the structure of the request does not comply with the RADIUS protocol. It is logged only on NPS.  
  6275 NPS discarded the accounting request for a user.
This event is generated every time NPS discards an accounting request from a RADIUS client because the structure of the request does not comply with the RADIUS protocol. It is logged only on NPS.   
  6276 NPS quarantined a user.
This event is generated every time NPS quarantines a user for multiple authentication failures. It is logged only on NPS.   
  6277 NPS granted access to a user, but put the user on probation because the host did not meet the defined health policy.
This event is generated every time NPS puts a user on probation after granting access because the host could not meet the defined health policy. It is logged only on NPS.   
  6278 NPS granted access to a user because the host met the defined health policy.
This event is generated every time NPS grants access to a user since the host has met the defined health policy. It is logged only on NPS.   
  6279 NPS locked the user account due to repeat failed authentication attempts.
This event is generated every time NPS locks a user account due to repeat failed authentication attempts. It is logged only on NPS.   
  6280 NPS unlocked the user account.
This event is generated every time NPS unlocks a user account after the account lockout. It is logged only on NPS.  
  303 A client disconnected from the resource.
This event is generated every time a user on a client computer is disconnected from the network resource. It is logged only on the Terminal Services Gateway (TSG). 
  304 The user met the connection authorization policy and resource authorization policy requirements, but could not connect to the resource.
This event is generated every time the user is unable to connect to the network resource even after meeting the connection and resource authorization policies. It is logged only on the Terminal Services Gateway (TSG). 
  412 AD FS token issued.
This event is generated every time AD FS issues a trusted token for authenticating a user based on a set of claims. It is logged only on a federation server [a Windows server where Active Directory Federation Services (AD FS) is installed]. 
  500 Issued identity.
This event is generated every time a unique identity is issued to identify configuration objects and partner network addresses. It is logged only on a federation server.  
  501 Caller identity.
This event is generated every time a token issuance failure occurs for that caller identity. It is logged only on a federation server. 
  299 Token issued.
This event is generated every time a token is issued by AD FS for having the necessary claims to authorize user access to the application. It is logged only on a federation server.
  403 Caller identity.
This event is generated every time the DNS server cannot create a Transmission Control Protocol (TCP) socket. It is logged only on a federation server. 
  1200 Application token success.
This event is generated every time an application token is issued successfully by AD FS for an authentication request. It is logged only on a federation server.   
  1201 Application token failure.
This event is generated every time an application token issuance by AD FS fails for an authentication request. It is logged only on a federation server.   
  2093 FSMO role not responding.
This event is generated every time the remote server, that is, the Flexible Single Master Operations (FSMO), is unresponsive. It is logged only on domain controllers.   
  1837 An attempt to transfer the operations master role failed.
This event is generated every time an attempt to transfer the FSMO role by the user fails. It is logged only on domain controllers.   
  2089 This directory partition has not been backed up since at least the following number of days.
This event is generated every time a backup hasn't been created since the enabled backup latency threshold. It is logged only on domain controllers.   
  2889 Lightweight Directory Access Protocol (LDAP) bind.
This event is generated every time a client initiates an LDAP bind without requesting the verification that the directory server is not configured to reject. It is logged only on domain controllers.   
  4769 A Kerberos service ticket was requested.
This event is generated every time a user requests access to a network resource, such as a computer, which results in the Key Distribution Center (KDC) getting a Kerberos Ticket Granting Service (TGS) ticket request for authentication. It is logged only on domain controllers.   
  4672 Special privileges assigned to new logon.
This event is generated every time sensitive privileges are assigned to a new logon session. It is logged on domain controllers, member servers, and workstations.   
  4908 The special groups logon table was modified.
This event is generated every time a security identifier (SID) is added to a special group for auditing purposes. It is logged on domain controllers, member servers, and workstations.   
  4798 A user's local group membership was enumerated.
This event is generated every time a process enumerates the list of security groups that a user belongs to. It is logged on member servers and workstations.  
  4729 A member was removed from a security-enabled global group.
This event is generated when a user, group, or computer is removed from a security-enabled global group. It is logged only on domain controllers.   
  4730 A security-enabled global group was deleted.
This event is generated when a security-enabled global group is deleted. It is logged only on domain controllers.   
  4731 A security-enabled local group was created.
This event is generated when a security-enabled local group is created. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.   
  4732 A member was added to a security-enabled local group.
This event is generated when users, groups, or computers are added to a security-enabled local group. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.   
  4733 A member was removed from a security-enabled local group.
This event is generated when users, groups, or computers are removed from a security-enabled local group. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.   
  4734 A security-enabled local group was deleted.
This event is generated when a security-enabled local group is deleted. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.   
  4735 A security-enabled local group was changed.
This event is generated when a security-enabled local group is modified. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.   
  4737 A security-enabled global group was changed.
This event is generated when a security-enabled global group is changed. It is logged only on domain controllers.  
  4738 A user account was changed.
This event is generated when the attributes of a user object are modified. It is logged on domain controllers for domain accounts, and on member computers for local accounts.  
  4739 Domain Policy was changed.
This event is generated when an Active Directory Domain Policy is changed. It is logged on domain controllers and member computers.   
  4759 A security-disabled universal group was created.
This event is generated when a universal distribution group is created. It is logged only on domain controllers.   
  4760 A security-disabled universal group account was changed.
This event is generated when a universal distribution group is changed. It is logged only on domain controllers.  
  4761 A member was added to a security-disabled universal group.
This event is generated when Active Directory objects, such as users, groups, or computers, are added to a universal distribution group. It is logged only on domain controllers.  
  4762 A member was removed from a security-disabled universal group.
This event is generated when Active Directory objects, such as users, groups, or computers, are removed from a universal distribution group. It is logged only on domain controllers.   
  4763 A security-disabled universal group was deleted.
This event is generated when a universal distribution group is deleted. It is logged only on domain controllers.   
  4764 A group type was changed.
This event is generated when a group type or scope is changed. It is logged only on domain controllers.   
  4781 The name of an account was changed.
This event is generated when the name of a user or computer account (sAMAccountName attribute) is changed. It is logged only on domain controllers for computer accounts, and on domain controllers and member computers for user accounts.   
  5137 A directory service object was created.
This event is generated when an Active Directory object is created, provided proper SACLs are configured for the parent object. It is logged only on domain controllers.   
  5139 A directory service object was moved.
This event is generated when an Active Directory object is moved from one OU to another. It is logged only on domain controllers.   
  5141 A directory service object was deleted.
This event is generated when an Active Directory object is deleted. It is logged on domain controllers and member computers.  
  4659 A handle to an object was requested with intent to delete.
This event is generated when an installed patch requires the replacement of a file opened by Windows. It is logged on domain controllers and member computers.  
  6416 A new external device was recognized by the system.
This event is generated when a new external device, such as a USB, is connected to the system. It is logged on servers and workstations.  
  4608 Windows is starting up.
This event is generated when a Windows machine is started. It is logged on domain controllers and member computers.  
  4609 Windows is shutting down.
This event is generated when a Windows machine is shutting down. It is logged on domain controllers and member computers.   
  1102 The audit log was cleared.
This event is generated whenever the security log is cleared. It is logged on domain controllers and member computers.   
  4614 A notification package has been loaded by the Security Account Manager.
This event is generated when a user attempts to change their password. It is logged on domain controllers and member computers.  
  4616 The system time was changed.
This event is generated when the system time is changed. It is logged on domain controllers and member computers.   
  4704 A user right was assigned.
This event is generated when a user is assigned privileges. It is logged only on domain controllers.   
  4705 A user right was removed.
This event is generated when a user's privileges are removed. It is logged only on domain controllers.   
  4719 System audit policy was changed.
This event is generated when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. It is logged on domain controllers and member computers.   
  4662 An operation was performed on an object.
This event is generated when a user accesses an Active Directory object. It is logged only on domain controllers.   
  5140 A network share object was accessed.
This event is generated when a network share object is accessed. It is logged on domain controllers and member computers.   
  5142 A network share object was added.
This event is generated whenever a network share object is added. It is logged on domain controllers and member computers.   
  5143 A network share object was modified.
This event is generated whenever a network share object is modified. It is logged on domain controllers and member computers.   
  5144 A network share object was deleted.
This event is generated whenever a network share object is deleted. It is logged on domain controllers and member computers.   
  9999 An object was renamed.
This event is generated when an Active Directory object is renamed. It is logged on domain controllers and member computers.   
  521 Unable to log events in the security log.
This event is generated when Windows is unable to write events to the security event log. It is logged on domain controllers and member computers.   
  4697 A service was installed in the system.
This event is generated when a new service is installed on a system. It is logged on domain controllers and member computers.   
  1100 The event logging service has shut down.
This event is generated during a normal system shutdown, and when the Windows Event Log service shuts down. It is logged on domain controllers and member computers.   
  1202 Fresh credential validation success.
This event is generated when fresh credentials are validated successfully by AD FS. It is logged on domain controllers and member computers.  
  1203 Fresh credential validation error.
This event is generated when fresh credential validation fails in AD FS. It is logged on domain controllers and member computers.  
  1210 Extranet lockout.
This event is generated when a user is locked out of, or when a locked out user attempts to log in to, AD FS. It is logged on domain controllers and member computers.   
  516 Extranet lockout.
This event is generated when a user account is locked out due to too many bad password submissions to AD FS. It is logged on domain controllers and member computers.  
  410 Extranet lockout.
This event is generated right after an AD FS authentication request is initiated, and contains context headers. It is logged on domain controllers and member computers. 
  411 Extranet lockout.
This AD FS event is generated when token validation fails. It is logged on domain controllers and member computers. 
  4618 A monitored security event pattern has occurred.
This event is generated when Windows is configured to generate alerts per the Common Criteria security audit analysis requirements and an auditable event pattern occurs. It is logged on domain controllers and member computers.  
  4649 A replay attack was detected.
This event is generated when the same packets are sent by a misconfigured network device between the server and the client. It is logged on domain controllers and member computers.  
  4765 SID History was added to an account.
This event is generated when SID History is added to an account in Active Directory. It is logged on domain controllers and member computers.   
  4766 An attempt to add SID History to an account failed.
This event is generated when there is an attempt to add SID History to an account. It is logged on domain controllers and member computers.   
  4799 A security-enabled local group membership was enumerated.
This event is generated when a process enumerates a user's local security groups on a computer or device. It is logged on domain controllers and member computers.   
  5378 The requested credentials delegation was disallowed by policy.
This event is generated when the CredSSP delegation for a WinRM double-hop session is not set properly. It is logged on domain controllers and member computers.   
  5633 A request was made to authenticate to a wired network.
This event is generated when a network adapter connects to a new wired network and an 802.1x authentication attempt is made for that network. It is logged on domain controllers and member computers.   
  5632 A request was made to authenticate to a wireless network.
This event is generated when a network adapter connects to a new wireless network and an 802.1x authentication attempt is made for that network. It is logged on domain controllers and member computers.   
  4610 An authentication package has been loaded by the Local Security Authority.
This event is generated at startup for each authentication package on the system. It is logged on domain controllers and member computers.   
  4611 A trusted logon process has been registered with the Local Security Authority.
This event is generated when a logon process is registered with the Local Security Authority to submit trusted logon requests. It is logged on domain controllers and member computers.   
  4622 A security package has been loaded by the Local Security Authority.
This event is generated when a security package is loaded by the Local Security Authority. It is logged on domain controllers and member computers.   
  7045 A new service was installed in the system.
A new service was installed in the system.  
  4740 A user account was locked out.
This event is generated when a user account gets locked out. It is logged on domain controllers, member servers, and workstations.   
  4741 A computer account was created.
This event is generated when a new computer object is created. It is logged only on domain controllers.   
  4742 A computer account was changed
This event is generated when a computer object is changed. It is logged only on domain controllers.   
  4743 A computer account was deleted.
This event is generated when a computer object is deleted. It is logged only on domain controllers.   
  4754 A security-enabled universal group was created.
This event is generated when a universal security group is created. It is logged only on domain controllers.   
  4755 A security-enabled universal group was changed.
This event is generated when a universal security group is changed. It is logged only on domain controllers.   
  4756 A member was added to a security-enabled universal group.
This event is generated when a member is added to a universal security group. It is logged only on domain controllers.   
  4757 A member was removed from a security-enabled universal group.
This event is generated when a member is removed from a universal security group. It is logged only on domain controllers.   
  4758 A security-enabled universal group was deleted.
This event is generated when a universal security group is deleted. It is logged only on domain controllers.  
  4767 A user account was unlocked.
This event is generated when a user account gets unlocked (when the Unlock Account checkbox on the user's account tab is selected). It is logged on domain controllers, member servers, and workstations.   
  5136 A directory service object was modified.
This event is generated when an Active Directory object is modified. It is logged only on domain controllers.   
  5138 A directory service object was undeleted.
This event is generated when an Active Directory object is undeleted. It is logged only on domain controllers.   
  4624 An account successfully logged on.
This event is generated when there is a successful logon to a local computer. It is logged on domain controllers, member servers, and workstations.   
  4625 An account failed to log on.
This event is generated when there is a failed attempt to log on to a local computer. It is logged on domain controllers, member servers, and workstations.   
  4800 A workstation was locked.
This event is generated when a workstation is locked (when a user manually locks their workstation, or when the workstation automatically locks itself after a period of inactivity). It is logged only on workstations.   
  4801 A workstation was unlocked.
This event is generated when a workstation is unlocked. It is logged only on workstations.   
  4647 User initiated logoff.
This event is generated when logoff is initiated. It is logged on domain controllers, member servers, and workstations.   
  4778 A session was reconnected to a Window Station.
This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. It is logged on domain controllers, member servers, and workstations.   
  4779 A session was disconnected from a Window Station.
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching. It is logged on domain controllers, member servers, and workstations.  
  4802 The screen saver was invoked.
This event is generated when a workstation activates the screen saver in response to a period of inactivity. It is logged only on workstations.  
  4714 Encrypted data recovery policy was changed.
This event is generated when a computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy is modified (either via Local Security Policy or Group Policy in Active Directory). It is logged on domain controllers, member servers, and workstations.   
  4717 System security access was granted to an account.
This event is generated when a logon right (such as "Access this computer from the network") is granted to an account. It is logged on domain controllers, member servers, and workstations.  
  4718 System security access was removed from an account.
This event is generated when a logon right (such as "Access this computer from the network") is removed from an account. It is logged on domain controllers, member servers, and workstations.  
  4688 A new process has been created.
This event is generated when a new process starts. It is logged on domain controllers, member servers, and workstations.  
  4689 A process has exited.
This event is generated when a process ends. It is logged on domain controllers, member servers, and workstations.  
  4698 A scheduled task was created.
This event is generated when a new scheduled task is created. It is logged on domain controllers, member servers, and workstations.  
  4699 A scheduled task was deleted.
This event is generated when a scheduled task is deleted. It is logged on domain controllers, member servers, and workstations.  
  4700 A scheduled task was enabled. 
This event is generated when a scheduled task is enabled. It is logged on domain controllers, member servers, and workstations.  
  4701 A scheduled task was disabled.
This event is generated when a scheduled task is disabled. It is logged on domain controllers, member servers, and workstations.  
  4702 A scheduled task was updated.
This event is generated when a scheduled task is updated or changed. It is logged on domain controllers, member servers, and workstations.  
  1101 Audit events have been dropped by the transport.
This event is generated when restarting Windows after a dirty shutdown. It is logged on domain controllers, member servers, and workstations  
  1104 The security log is now full. 
This event is generated when the Windows security log becomes full. It is logged on domain controllers, member servers, and workstations.   
  1105 Event log automatic backup.
This event is generated when the Windows security log becomes full and a new event log file is created (for example, when the maximum size of Security Event Log file is reached and event log retention method has been set to “Archive the log when full, do not overwrite events”). It is logged on domain controllers, member servers, and workstations.   
  1108 The event logging service encountered an error.
This event is generated when the event logging service encounters an error while processing an incoming event. It is logged on domain controllers, member servers, and workstations.   
  201 Task Scheduler successfully completed a task.
This event is generated when the Task Scheduler completes a task. It is logged on domain controllers, member servers, and workstations. 
  202 Task Scheduler failed to complete a task.
This event is generated when the Task Scheduler fails to complete a task. It is logged on domain controllers, member servers, and workstations. 
  203 Task Scheduler failed to launch a task.
This event is generated when the Task Scheduler fails to launch a task. It is logged on domain controllers, member servers, and workstations.
  204 Network Access Protection (NAP) policies were not met, so the user was not authorized to connect to the TS Gateway server. 
This event is generated when NAP policies are not met, so the user is not authorized to connect to the TS Gateway server. It is logged only on Gateway servers. 
  301 Resource authorization policy requirements were not met, so the user was not authorized to access the TS Gateway server.
This event is generated when resource authorization policy requirements are not met, so the user is not authorized to access the TS Gateway server. It is logged only on Gateway servers. 
  302 User connected to the TS Gateway server.
This event is generated when the user connects to the TS Gateway server. It is logged only on Gateway servers. 
  4794 An attempt was made to set the Directory Services Restore Mode administrator password.
This event is generated when the Directory Services Restore Mode (DSRM) administrator password is changed. It is logged only on domain controllers.  
  4897 Role separation enabled.
This event is generated when an AD CS server starts and whenever role separation is actually changed. It is logged only on Active Directory Certificate Services (AD CS) servers.  
  4964 This event is generated when an AD CS server starts and whenever role separation is actually changed. It is logged only on Active Directory Certificate Services (AD CS) servers. 
This event is generated when an account that is a member of any defined Special Group logs on. It is logged on domain controllers, member servers, and workstations.   
  5124 A security setting was updated on OCSP Responder Service.
This event is generated when a security setting is updated on OCSP Responder Service. It is logged only on OCSP responders/AD CS servers.   
  2887 LDAP signing.
This event is generated when a client computer attempts an unsigned LDAP bind. It is logged only on domain controllers.   
  1644 LDAP searches.
This event is generated when an LDAP search made by a client against the directory breaches the inexpensive and/or inefficient search thresholds (it will only be logged if you set the Field Engineering reg key to 5 or higher). It is logged only on domain controllers.   
  1643 Number of LDAP searches.
This event logs the number of LDAP searches performed in a time interval and each time garbage collection is run on a domain controller (it will only be logged if you set the Field Engineering reg key to 4 or higher). It is logged only on domain controllers.   
  1317 LDAP connection timed out.
This event is generated when the local domain controller disconnects the LDAP connection from the specified network address because of a time-out. It is logged only on domain controllers.   
  1458 FSMO role transferred.
This event is generated when an FSMO role is transferred from one domain controller to another. It is logged only on domain controllers.  
  2092 FSMO replication.
This event is generated when a server is the owner of an FSMO role but does not consider it valid (replication errors prevent validation of the role). It is logged only on domain controllers.  
  4713 Kerberos policy was changed.
This event is generated when the Kerberos policy is changed. It is logged only on domain controllers.   
  6005 The Event Log service was started.
This event is generated when the Event Log service is started. It is logged on domain controllers, member servers, and workstations.  
  6006 The Event Log service was stopped.
This event is generated when the Event Log service is stopped. It is logged on domain controllers, member servers, and workstations.  
  6008 Unexpected system shutdown.
This event is generated when a system shuts down unexpectedly. It is logged on domain controllers, member servers, and workstations.   
  1074 System has been shutdown by a process or user.
This event is generated when an application causes the system to restart, or when the user initiates a restart or shutdown. It is logged on domain controllers, member servers, and workstations.   

ADAudit Plus Trusted By