When the "Audit policy change" policy is enabled for either success or failure in the Default Domain Policy or Default Domain Controllers Policy Group Policy objects (GPO), a success event, event 617, is logged in the Windows 2000 Security log regardless of whether or not a policy change occurred.
The following list describes when a Security policy is propagated by default:
- Every five minutes when the domain controller's GPO is refreshed
- Every 16 hours, regardless of whether or not a policy change has occurred
- When you use the SECEDIT /RefreshPolicy machine_policy /enforce command to propagate Group Policy changes
If no policies have changed since the last update, event 617 is logged in the Security event log:
Date: 8/28/2000 Source: Security
Time: 4:10:18 PM Category: Policy Change
Type: Success Event ID: 617
User: NT AUTHORITY\SYSTEM
Computer: MALABO
Description:
"Kerberos Policy Changed:
Changed By:
User Name: MALABO$
Domain Name: INSULAR
Logon ID: (0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
--
If a Security policy change has taken place after the last update, event 617 appears in the Security event log as follows:
Date: 6/25/2000 Source: Security
Time: 5:56:48 PM Category: Policy Change
Type: Success Event ID: 617
User: NT AUTHORITY\SYSTEM
Computer: MALABO
Description:
"Kerberos Policy Changed:
Changed By:
User Name: MALABO$
Domain Name: INSULAR
Logon ID: (0x0,0x3E7)
Changes made:
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))
KerLogoff: 0x7683cd1a01a9f8b0 (0x7683cd1a01b5f8b0);
Back to the top
