When you enable the Audit policy change policy in the Default Domain Policy or in the Default Domain Controllers Policy, a Success event 617 is logged, even if no policy change has occurred?
By default, Security policy is progagated:
- Every 5 minutes when the domain controller's GPO is refreshed.
- Every 16 hours, regardless of whether or not a policy change has occurred.
- When you use the SECEDIT /RefreshPolicy machine_policy /enforce command.
If no policy changes occured since the last update, something like the following is logged:
Date: 9/13/2000 Source: Security Time: 9:30:17 AM Category: Policy Change Type: Success Event ID: 617 User: NT AUTHORITY\SYSTEM Computer: JSI001 Description: "Kerberos Policy Changed: Changed By: User Name: JSI001$ Domain Name: JSIINC Logon ID: (0x0,0x3E7) Changes made: ('--' means no changes, otherwise each change is shown as: <ParameterName>: <new value> (<old value>)) --