4934 Attributes of an Active Directory object were replicated
Written when attributes of an Active Directory object are replicated. It is a detailed-replication auditing event showing which attributes were synchronized between DCs.
Overview
The subcategory is Audit Detailed Directory Service Replication. It is generated when an AD object’s attributes are replicated by replication. Because it appears in extreme volume, it is normally not left always-on.
How it is triggered
- When an object’s attribute values are synchronized in replication between DCs.
Security review points
- Its standalone security value is low, but it is usable to track when and where a specific object’s (e.g. a sensitive account’s) attributes were replicated.
- The primary detection of attacks targeting credential replication (such as DCSync) is done via 4662. Use 4934 as a supplement during investigations that need detailed visibility into replication.
Notes for log review
- It is especially high-volume even among detailed replication auditing. It is unsuited to always-on monitoring; enable it in a limited, temporary way.
- Reference it only in specific investigations that need attribute-level synchronization tracking.
Key fields
| Field | Meaning |
|---|---|
Object | The replicated object |
| Replicated attributes | The synchronized attributes |
| Source/destination DC | The parties to the replication |