Windows Server 2016’s February 2018 Quality Update fixes empty Attribute value in EventID 5136 for Directory Services Changes

Windows Server 2016

Windows Server 2016’s February 2018’s Cumulative Quality Update, bringing the OS version to 14393.2097, offers a fix you might be experiencing with empty values for Attribute in EventID 5136 for Directory Services Changes on Windows Server 2016-based Active Directory Domain Controllers.


About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.


The situation

You enable auditing policies to monitor changes to a directory service object on Windows Servers running the Active Directory Domain Services (AD DS) role and configured as Active Directory Domain Controllers.

An EventID 5136 is added to the security event log after a change to the directory service object occurs.

EventID 5136 should contain the following values:

  • When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
  • If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.
  • If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
  • If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.


The issue

When you inspect EventID 5136, the Value field under the Attribute item is empty. This means you cannot monitor the details of the directory service change.


The cause

This occurs when you modify an attribute of an object on Windows Server 2016 Domain Controllers. This problem may occur if you use PowerShell commands (Add-ADGroupMember or Set-ADGroup) to add a user account to a group using the user account’s security identifier (SID) instead of the Distinguished Name.


The solution

When you experience this issue, you are invited to install Windows Server 2016’s February 2018 Cumulative Quality Update (KB4077525) on the Active Directory Domain Controllers running Windows Server 2016 to resolve it.

Known issues

Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY. Contact your antivirus manufacturer to verify that their software is compatible and that they have set the REGKEY.

Further reading

February 22, 2018—KB4077525 (OS Build 14393.2097)
The Value field under the Attribute item for event ID 5136 is empty in Windows Server
AD DS Auditing Step-by-Step Guide

leave your comment