Event ID 612 – Audit Policy Change
If a system's audit policy is modified, then event 612 is logged. A 'plus' in the log indicates that that particular feature was enabled, while a 'minus' indicates that the feature was disabled. These changes can be made either by the administrators, or a group policy object.
Different OSes handle this event in different ways. Windows XP SP2 logs this every time the system starts up, while Windows 2000 logs this twice in succession every time the group policy is refreshed.
This log data provides the following information:
- New Policy
- User Name
- Domain Name
- Logon ID
Why does event ID 612 need to be monitored?
Events of this type should always be monitored, especially on high-value computers or assets, because only planned changes should occur in the local audit policy. Any and all unplanned changes must be further investigated.
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 612 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4719.