Event ID 612 Source Security
| Event ID | 612 |
| Source | Security |
| Type | Success Audit |
| Description | Audit Policy Change: New Policy: Success Failure + + Logon/Logoff - - Object Access - - Privilege Use + + Account Management + + Policy Change - -System - -Detailed Tracking - - Directory Service Access ++ Account Logon Changed By: User Name: <user name> Domain Name: <domain name> Logon ID: <logon id> |
| English, please! | Request a translation of the event description in plain English. |
| Concepts to understand | What is a directory service? |
| Comments |
Ionut Marin
(Last update 8/9/2004): As per Microsoft: "Event ID 612 indicates that a change in audit policy has been made on the local computer. The logging of Event ID 612 is the expected behavior when you restart Windows XP SP2". See M840633 and MSW2KDB for information on this event. Nick Thorp (Last update 5/20/2004): This event occurs (even if the policy doesn't actually change) if you have a policy applied to the server (or the containing OU/AD) via the Active Directory. When the server boots, it sets its audit policy according to the local settings, then the AD forces its settings on the server and this creates the 612 in the event log, even if the local policy is identical to the applied policy. So, in my case, nothing to worry about, behaviour by design. Adrian Grigorof (Last update 5/20/2004): Indicates that a change was made to the audit policy. The description shows the current policy. A "+" sign indicates that the policy is enable, a "-" that is disabled. For example, the following: - + Directory Service Access Indicates that the the successful attempts to use the directory services will not be audited (the "-") but the failures will be (the "+"). See the link to the "Auditing policies - their meaning and recommended settings" article for a description of the auditing policies. This event is also logged each time that the server refreshes its local security policy. This is the case when the user recorded in the event description is the name of the computer itself (i.e. SERVER1$). |
| Links | M174074, M840633, Auditing policies - their meaning and recommended settings, Online Analysis of Security Event Log, MSW2KDB |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Feedback | Send comments - Notify me when updated |
| Print version |