Event ID 617 – Kerberos Policy Changed
Event ID | 617 |
Category | Policy Change |
Type | Success Audit |
This event is logged whenever the Kerberos policy is changed. The "User Name" field of the 617 event log does not identify the actual user who changed the policy, as these policies are configured in a group policy object and applied to the computer.
This event is logged only when the modified policy is applied rather than when the group policy object is actually changed.
This log data provides the following information:
- User Name
- Domain Name
- Logon ID
- Changes Made
Why does event ID 617 need to be monitored?
This event should be monitored, as unauthorized and unplanned changes in Kerberos policy warrant further investigation.
Pro Tip:
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 617 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4713.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools