Event ID 612 – Audit Policy Change
If a system's audit policy is modified, then event 612 is logged. A 'plus' in the log indicates that that particular feature was enabled, while a 'minus' indicates that the feature was disabled. These changes can be made either by the administrators, or a group policy object.
Different OSes handle this event in different ways. Windows XP SP2 logs this every time the system starts up, while Windows 2000 logs this twice in succession every time the group policy is refreshed.
This log data provides the following information:
- New Policy
- User Name
- Domain Name
- Logon ID
Why does event ID 612 need to be monitored?
Events of this type should always be monitored, especially on high-value computers or assets, because only planned changes should occur in the local audit policy. Any and all unplanned changes must be further investigated.
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 612 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4719.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools