Windows Server 2016’s February 2018’s Cumulative Quality Update, bringing the OS version to 14393.2097, offers a fix you might be experiencing with empty values for Attribute in EventID 5136 for Directory Services Changes on Windows Server 2016-based Active Directory Domain Controllers.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
You enable auditing policies to monitor changes to a directory service object on Windows Servers running the Active Directory Domain Services (AD DS) role and configured as Active Directory Domain Controllers.
An EventID 5136 is added to the security event log after a change to the directory service object occurs.
EventID 5136 should contain the following values:
- When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
- If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.
- If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
- If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.
When you inspect EventID 5136, the Value field under the Attribute item is empty. This means you cannot monitor the details of the directory service change.
This occurs when you modify an attribute of an object on Windows Server 2016 Domain Controllers. This problem may occur if you use PowerShell commands (Add-ADGroupMember or Set-ADGroup) to add a user account to a group using the user account’s security identifier (SID) instead of the Distinguished Name.
When you experience this issue, you are invited to install Windows Server 2016’s February 2018 Cumulative Quality Update (KB4077525) on the Active Directory Domain Controllers running Windows Server 2016 to resolve it.
Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY. Contact your antivirus manufacturer to verify that their software is compatible and that they have set the REGKEY.