When you enable the Audit policy change policy in the Default Domain Policy or in the Default Domain Controllers Policy, a Success event 617 is logged, even if no policy change has occurred?
By default, Security policy is progagated:
- Every 5 minutes when the domain controller's GPO is refreshed.
- Every 16 hours, regardless of whether or not a policy change has occurred.
- When you use the SECEDIT /RefreshPolicy machine_policy /enforce command.
If no policy changes occured since the last update, something like the following is logged:
Time: 9:30:17 AM Category: Policy Change
Type: Success Event ID: 617
User: NT AUTHORITY\SYSTEM
"Kerberos Policy Changed:
User Name: JSI001$
Domain Name: JSIINC
Logon ID: (0x0,0x3E7)
('--' means no changes, otherwise each change is shown as:
<ParameterName>: <new value> (<old value>))