Knowledge Base

Windows Server Event: 4670

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows Server Event: 4670

Event ID 4670: Permissions on an object were changed.

Category	Object access	Policy change
Subcategory	File system Registry	Authorization policy change

Subject	Security ID Account Name Account Domain Logon ID
Object	Object Server Object type Object name Handle ID
Process	Process name Process ID
Permissions change	Old security descriptor New security descriptor

Reasons to monitor this event:

For file system and registry objects, permission changes should be closely monitored to avoid unauthorized access.
For token objects, this is typically an informational event.

Pro tips:

ADAudit Plus generates detailed reports and real time alerts when permissions on any file system or registry object is changed.
The old and new value of the permissions changed can be viewed with the intuitive reports offered by ADAudit Plus.

Event 4670 applies to the following operating systems:

Windows Server 2008 R2 and 7
Windows Server 2012 R2 and 8.1
Windows Server 2016 and 10

Explore Active Directory auditing and reporting with ADAudit Plus.

Account Management Auditing

Active Directory Auditing

Windows Server Auditing

Related Products