Windows Server Event: 4670

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows Server Event: 4670

Event ID 4670: Permissions on an object were changed.

Category Object access Policy change
Subcategory File system
  • Registry
Authorization policy change
Subject
  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
Object
  • Object Server
  • Object type
  • Object name
  • Handle ID
Process
  • Process name
  • Process ID
Permissions change
  • Old security descriptor
  • New security descriptor

Reasons to monitor this event:

  • For file system and registry objects, permission changes should be closely monitored to avoid unauthorized access.
  • For token objects, this is typically an informational event.

Pro tips:

  • ADAudit Plus generates detailed reports and real time alerts when permissions on any file system or registry object is changed.
  • The old and new value of the permissions changed can be viewed with the intuitive reports offered by ADAudit Plus.

Event 4670 applies to the following operating systems:

  • Windows Server 2008 R2 and 7
  • Windows Server 2012 R2 and 8.1
  • Windows Server 2016 and 10