5137 A directory service object was created
Written when an Active Directory object is created. It captures the creation of GPOs, OUs, and various objects, and together with modification 5136 tracks AD configuration changes.
Overview
The subcategory is Audit Directory Service Changes. It is generated when an AD object is created. Generation requires creation auditing (SACL) on the target class. It is recorded on domain controllers.
How it is triggered
- Creation of an AD object such as a user, computer, GPO, OU, or group.
- User/computer creation is also recorded by dedicated events (4720/4741), but 5137 indicates creation of AD objects in general.
Security review points
- It can catch new GPO creation or object additions by an attacker (preparing privilege grants or persistence). Check the created object’s class, location, and creating subject.
- New GPO creation in particular is notable, as it becomes a path to distribute settings to subordinate machines. Track the lifecycle together with modification 5136 and deletion 5141.
Notes for log review
- It also occurs during legitimate administration. Match the created object’s class and subject against normal patterns.
- It is recorded only for classes with a SACL set. Enable creation auditing for important classes in the AD audit design.
Key fields
| Field | Meaning |
|---|---|
Object DN / Class | The created object and its class |
Subject\Account Name | The subject that created it |