Policy Change Event: 612

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Process Tracking » Policy Change Event: 612

Event ID 612 – Audit Policy Change

Event ID 612
Category Policy Change
Type Success Audit

If a system's audit policy is modified, then event 612 is logged. A 'plus' in the log indicates that that particular feature was enabled, while a 'minus' indicates that the feature was disabled. These changes can be made either by the administrators, or a group policy object.

Different OSes handle this event in different ways. Windows XP SP2 logs this every time the system starts up, while Windows 2000 logs this twice in succession every time the group policy is refreshed.

This log data provides the following information:

  • New Policy
  • User Name
  • Domain Name
  • Logon ID

Why does event ID 612 need to be monitored?

Events of this type should always be monitored, especially on high-value computers or assets, because only planned changes should occur in the local audit policy. Any and all unplanned changes must be further investigated.

Pro Tip:

ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.

Event 612 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID in Windows 2008 and Windows Vista is 4719.