Policy Change Event: 611

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Process Tracking » Policy Change Event: 611

Event ID 611 – Removing Trusted Domain

Event ID 611
Category Policy Change
Type Success Audit

Like event 610, event 611 too varies depending on the OS. When a trusted domain is removed on Win2000, event 611 gets logged twice by the domain controller. Unlike event 610 though, event 620 does not get logged along with 611.

On Windows 2003, this event is logged only once when a trusted domain is removed. The DC also logs events 565 and 564 if the directory service access auditing is on.

This log data provides the following information:

  • Domain Name
  • Domain ID
  • Removed By
  • User Name
  • Domain
  • Logon ID

Why does event ID 611 need to be monitored?

All changes related to Active Directory domain trusts, such as removal of trust, should be monitored. If an unplanned change occurs, the reason for the change must be investigated.

Pro Tip:

ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.

Event 611 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID in Windows 2008 and Windows Vista is 4707