Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Value field under the Attribute item for event ID 5136 is empty in Windows Server


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You install the Active Directory Domain Services (AD DS) role or the Active Directory Lightweight Directory Services (AD LDS) role on a computer that is running Windows Server 2012 R2, Windows Server 2008, or Windows Server 2008 R2.
  • You enable auditing policies to monitor changes to a directory service object.
  • An event ID 5136 is added to the security event log after a change to a directory service object occurs. For example, this event is added when you add a user account to the domain admins group.
In this scenario, the Value field under the Attribute item is empty for event ID 5136. Therefore, you cannot monitor the details of the directory service change. And, event ID 5136 does not report which user account is added to the domain admins group.

Notes
  • Some other attributes also may not contain the values that are changed in the event.
  • AD DS has Account Management auditing that can track changes to group membership. Account Management auditing is not affected because of this issue. However, Account Management auditing does not track changes to AD LDS groups.
The following is a sample event ID 5136 log entry:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: <date>
Event ID: 5136
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: <computer name>
Description:
A directory service object was modified.

Subject:
Security ID: <security ID>
Account Name: <account name>
Account Domain: <domain name>
Logon ID: 0x19a69

Directory Service:
Name: <name>
Type: Active Directory Lightweight Directory Services

Object:
DN: <DN>
GUID: <GUID>
Class: group

Attribute:
LDAP Display Name: member
Syntax (OID): 2.5.5.1
Value:

Operation:
Type: Value Deleted
Correlation ID: <GUID>
Application Correlation ID: <Application Correlation ID>

↑ Back to the top


Cause

This issue occurs because the directory service passes the security identifier (SID) of a user account to the audit event. However, the audit event expects the distinguished name (DN) of the user account.

↑ Back to the top


Resolution

Note After you install this hotfix or update 2967917, the Value fields of newly created events have expected values. However, Value fields remain empty for the existing audit events that were created before this hotfix is installed.

To resolve this issue in Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2967917 July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
To resolve this issue in Windows Server 2008 R2 and Windows Server 2008, install the hotfix that is described in the "Hotfix information" section in this article.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must install the AD DS role or the AD LDS role on a computer that is running one of the following operating systems:
  • Windows Server 2008
  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
968849 How to obtain the latest service pack for Windows Server 2008
For more information about how to obtain a Windows 7 or a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    VersionProductSR_LevelService branch
    6.0.600 1 . 22xxxWindows Server 2008SP1LDR
    6.0.600 2 . 22xxxWindows Server 2008SP2LDR
  • Service Pack 1 is integrated into the release version of Windows Server 2008.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ntdsa.mofNot applicable227,72504-Mar-201005:49Not applicable
Ntdsai.dll6.0.6001.227961,951,23212-Nov-201016:52x86
Ntdsa.mofNot applicable227,72503-Apr-200920:49Not applicable
Ntdsai.dll6.0.6002.225241,951,23212-Nov-201019:04x86
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ntdsa.mofNot applicable227,72526-Feb-201004:07Not applicable
Ntdsai.dll6.0.6001.227962,635,77612-Nov-201018:01x64
Ntdsa.mofNot applicable227,72503-Apr-200920:42Not applicable
Ntdsai.dll6.0.6002.225242,636,28812-Nov-201019:44x64
Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    VersionProductSR_LevelService branch
    6.1.760 1 . 22xxxWindows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
File nameFile versionFile sizeDateTimePlatform
Ntdsctrs.iniNot applicable58,48620-Nov-201013:35Not applicable
Report.ad.xmlNot applicable25,55020-Nov-201013:32Not applicable
Rules.ad.xmlNot applicable8,36820-Nov-201013:30Not applicable
Ntdsctrs.iniNot applicable61,68420-Nov-201013:12Not applicable
Report.ad.xmlNot applicable24,06920-Nov-201013:04Not applicable
Rules.ad.xmlNot applicable7,69520-Nov-201013:00Not applicable
Ntdsctrs.iniNot applicable54,28620-Nov-201012:59Not applicable
Report.ad.xmlNot applicable22,92920-Nov-201013:04Not applicable
Rules.ad.xmlNot applicable7,25520-Nov-201013:03Not applicable
Ntdsctrs.iniNot applicable60,80020-Nov-201013:09Not applicable
Report.ad.xmlNot applicable24,50320-Nov-201013:09Not applicable
Rules.ad.xmlNot applicable8,03120-Nov-201013:00Not applicable
Ntdsctrs.iniNot applicable61,50220-Nov-201013:09Not applicable
Report.ad.xmlNot applicable24,82120-Nov-201013:06Not applicable
Rules.ad.xmlNot applicable8,16820-Nov-201013:09Not applicable
Ntdsctrs.iniNot applicable58,15620-Nov-201013:43Not applicable
Report.ad.xmlNot applicable25,48220-Nov-201013:43Not applicable
Rules.ad.xmlNot applicable8,28420-Nov-201013:35Not applicable
Ntdsctrs.iniNot applicable58,59020-Nov-201013:43Not applicable
Report.ad.xmlNot applicable24,09020-Nov-201013:42Not applicable
Rules.ad.xmlNot applicable8,17720-Nov-201013:35Not applicable
Ntdsctrs.iniNot applicable40,58020-Nov-201013:06Not applicable
Report.ad.xmlNot applicable23,02720-Nov-201013:03Not applicable
Rules.ad.xmlNot applicable8,89120-Nov-201012:58Not applicable
Ntdsctrs.iniNot applicable40,03420-Nov-201014:28Not applicable
Report.ad.xmlNot applicable23,79020-Nov-201014:22Not applicable
Rules.ad.xmlNot applicable8,29320-Nov-201014:28Not applicable
Ntdsctrs.iniNot applicable63,53020-Nov-201013:30Not applicable
Report.ad.xmlNot applicable23,90020-Nov-201013:38Not applicable
Rules.ad.xmlNot applicable7,83920-Nov-201013:39Not applicable
Ntdsctrs.iniNot applicable58,99020-Nov-201013:36Not applicable
Report.ad.xmlNot applicable24,77920-Nov-201013:43Not applicable
Rules.ad.xmlNot applicable8,33220-Nov-201013:37Not applicable
Ntdsctrs.iniNot applicable57,83420-Nov-201013:38Not applicable
Report.ad.xmlNot applicable24,29720-Nov-201013:35Not applicable
Rules.ad.xmlNot applicable7,82120-Nov-201013:46Not applicable
Ntdsctrs.iniNot applicable60,31020-Nov-201013:37Not applicable
Report.ad.xmlNot applicable24,92220-Nov-201013:34Not applicable
Rules.ad.xmlNot applicable8,11520-Nov-201013:37Not applicable
Ntdsctrs.iniNot applicable57,25820-Nov-201013:40Not applicable
Report.ad.xmlNot applicable27,90620-Nov-201013:42Not applicable
Rules.ad.xmlNot applicable10,52620-Nov-201013:40Not applicable
Ntdsctrs.iniNot applicable59,23020-Nov-201013:37Not applicable
Report.ad.xmlNot applicable24,06220-Nov-201013:34Not applicable
Rules.ad.xmlNot applicable7,62320-Nov-201013:41Not applicable
Ntdsctrs.iniNot applicable54,78020-Nov-201013:37Not applicable
Report.ad.xmlNot applicable23,88920-Nov-201013:38Not applicable
Rules.ad.xmlNot applicable7,63520-Nov-201013:40Not applicable
Ntdsctrs.iniNot applicable34,78220-Nov-201014:28Not applicable
Report.ad.xmlNot applicable22,75720-Nov-201014:27Not applicable
Rules.ad.xmlNot applicable7,02420-Nov-201014:31Not applicable
Ntdsctrs.iniNot applicable36,46420-Nov-201014:24Not applicable
Report.ad.xmlNot applicable22,78120-Nov-201014:22Not applicable
Rules.ad.xmlNot applicable7,05920-Nov-201014:29Not applicable
Ntdsa.mofNot applicable227,76505-Nov-201001:54Not applicable
Ntdsai.dll6.1.7601.227052,754,04830-May-201408:00x64

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
For more information about AD DS auditing, visit the following Microsoft webpage.

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
File nameUpdate.mum
File versionNot applicable
File size3,189
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable
File nameX86_a08236798c039943e95163c171c8d341_31bf3856ad364e35_6.0.6001.22796_none_2389fb9ca99357af.manifest
File versionNot applicable
File size712
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable
File nameX86_c696abbb5360baa74c4081bd7d3313f2_31bf3856ad364e35_6.0.6002.22524_none_8c8bf39560da8ec7.manifest
File versionNot applicable
File size712
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable
File nameX86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.0.6001.22796_none_f0f49c8bd283e6d6.manifest
File versionNot applicable
File size12,574
Date (UTC)12-Nov-2010
Time (UTC)18:16
PlatformNot applicable
File nameX86_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.0.6002.22524_none_f324bf39cf7342dc.manifest
File versionNot applicable
File size12,574
Date (UTC)12-Nov-2010
Time (UTC)19:27
PlatformNot applicable
Additional files for all supported x64-based versions of Windows Server 2008
File nameAmd64_23f9ff974237c9ab98e6368eab264c5a_31bf3856ad364e35_6.0.6002.22524_none_582840209133fcdb.manifest
File versionNot applicable
File size716
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable
File nameAmd64_e211a1fe840a4da6cf082766f59f5893_31bf3856ad364e35_6.0.6001.22796_none_b8f0d3fee78b66dd.manifest
File versionNot applicable
File size716
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.0.6001.22796_none_4d13380f8ae1580c.manifest
File versionNot applicable
File size12,632
Date (UTC)12-Nov-2010
Time (UTC)18:31
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.0.6002.22524_none_4f435abd87d0b412.manifest
File versionNot applicable
File size12,632
Date (UTC)12-Nov-2010
Time (UTC)20:07
PlatformNot applicable
File nameUpdate.mum
File versionNot applicable
File size3,213
Date (UTC)15-Nov-2010
Time (UTC)10:25
PlatformNot applicable

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
File propertyValue
File nameAmd64_13d87ada27966da8a93dadd480fb735a_31bf3856ad364e35_6.1.7601.22705_none_cd052970db36f8be.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_192577bb3b6d9f7bb7c56e8b944ce0b3_31bf3856ad364e35_6.1.7601.22705_none_0fa689aa513ff9c8.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_1a66cf1110ddb3f9996a6c467e698334_31bf3856ad364e35_6.1.7601.22705_none_c2fe6c33850843c3.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_1cdd0576ae4b92be614bfb9ab7c12f7e_31bf3856ad364e35_6.1.7601.22705_none_c6aca23b6e345882.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_1fe48e60c2f856ed2ea06b481aed0b5e_31bf3856ad364e35_6.1.7601.22705_none_da4160c59825f74f.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_22d84a0cd47f64e05abd5d866aa03a16_31bf3856ad364e35_6.1.7601.22705_none_d09df05bc855164a.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_35a600f3b401f681ee41ee10cfb48803_31bf3856ad364e35_6.1.7601.22705_none_97754ca280f62270.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_5077e745eebddb0cee760813dd4e565e_31bf3856ad364e35_6.1.7601.22705_none_af56718e4902aade.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_5e92245bcde927b5e9a1c3600a4cbf2d_31bf3856ad364e35_6.1.7601.22705_none_996f8e4e27f6fb69.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_68739f3d0379020e92a823660bf8c8da_31bf3856ad364e35_6.1.7601.22705_none_85a434a3523bd03d.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_6efc9acb98d7fe3ed47ce4d0850a6c24_31bf3856ad364e35_6.1.7601.22705_none_6c11b26cc8be215e.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_892d30f66ac250fd9e4a5eb984231b33_31bf3856ad364e35_6.1.7601.22705_none_45c6f48a68d65df7.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_9bdfc43352f382d72b57c83f1d8ae3c8_31bf3856ad364e35_6.1.7601.22705_none_ccb19431b7ea6f0a.manifest
File versionNot applicable
File size716
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_aab6ab4af4b602bf6bc4b73cc373036d_31bf3856ad364e35_6.1.7601.22705_none_ccd12545609784ef.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_b54c25af98301cf6664095962f23206a_31bf3856ad364e35_6.1.7601.22705_none_648ce1336db58b81.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_bf1cd18fe64d3db38e3dae9da7576d8b_31bf3856ad364e35_6.1.7601.22705_none_8528fd8c7aefe24b.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_d6cf5096756a60a28a19eb0ed5f4f913_31bf3856ad364e35_6.1.7601.22705_none_e729f6f9dbb13b10.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_dc8609a03a3d40db60dc29cdf8a0b399_31bf3856ad364e35_6.1.7601.22705_none_9e0b74e8ccc72bd9.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_ef166b9417477c83c4f5382a2cc16708_31bf3856ad364e35_6.1.7601.22705_none_98cc5fbcc043df01.manifest
File versionNot applicable
File size728
Date (UTC)02-Jun-2014
Time (UTC)07:59
PlatformNot applicable
File nameAmd64_microsoft-windows-d..toryservices-ntdsai_31bf3856ad364e35_6.1.7601.22705_none_4f819f7ae8d702d8.manifest
File versionNot applicable
File size3,531
Date (UTC)30-May-2014
Time (UTC)08:28
PlatformNot applicable

↑ Back to the top


Keywords: kbexpertiseinter, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, KB2458125

↑ Back to the top

Article Info
Article ID : 2458125
Revision : 4
Created on : 7/8/2014
Published on : 7/8/2014
Exists online : False
Views : 1781