5139 A directory service object was moved
Written when an Active Directory object is moved to another location (an OU, etc.). It captures changes to an object’s containment.
Overview
The subcategory is Audit Directory Service Changes. It is generated when an AD object is moved to another OU/container. It includes the location (DN) before and after the move.
How it is triggered
- Moving a user, computer, group, etc. between OUs.
Security review points
- An OU move means a change in applied GPOs and delegation. An attacker may move an account to an OU with loose settings or a malicious GPO to achieve defense evasion or privilege gain. Check the OU before and after.
- Note OU moves of privileged accounts or important machines in particular. Also evaluate the GPOs and delegation applied to the destination OU.
Notes for log review
- It occurs legitimately during reorganizations and operations. Match the moved object, destination OU, and subject against normal patterns.
- Note “removal” from a monitored OU or moves to a loose OU.
Key fields
| Field | Meaning |
|---|---|
Old DN / New DN | The location before and after |
Subject\Account Name | The subject that performed the move |