Greetings,
I configured alert (monitoring event 642) in a Windows 2003 Domain Controller
and 4738 in Windows 2012 domain controllers security event log.
When an AD user object change occurs in a Window 2003 Domain Controller, the
642 alert is firing and the emails subscription are going out.
The odd thing a corresponding 4738 alert will also fire even if the AD user
object was changed when connecting to the Windows 2003 Domain Controller. No
EVENT FORWARDING is configured from the 2003 Domain Controller to the 2012
Domain Controller.
AD User Object Change Audit
MGMT PACK: CUSTOM-DOMAIN-CONTROLLER-EVENT-ALERTING
GROUP: CUSTOM-Windows 2003 DCs
DYNAMIC MEMBERSHIP:
2003 DC
RULE: EVENT 642
Subscriber: [email protected]
AND
MGMT PACK: CUSTOM-DOMAIN-CONTROLLER-EVENT-ALERTING
GROUP: CUSTOM-Windows 2012 and above DCs
DYNAMIC MEMBERSHIP:
2008 and above
DC
RULE: EVENT 4738
Subscriber: [email protected]
Would be great to hear from others on why this is happening.
Regards
Sarbjit Singh
