Event ID 5137: A Directory Service Object Was Created [Fix]

Explore the easiest methods to fix Event ID 5137

Reading time icon 4 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • Event ID 5137 may indicate a normal and legitimate creation of a Directory Service object.
  • This event could have been logged due to routine administrative activities, such as creating new user accounts, groups, or organizational units.
EVENT ID 5137 (1)

If you have encountered Event ID 5137 on your computer and wondering what it is, this guide can help! In this guide, we will explore the causes of the event and provide solutions to address any potential issues or misconfiguration.

What is Event ID 5137?

Event ID 5137 is a specific event log entry in the Windows Event Viewer related to the Active Directory service in a Windows environment.

When an object is created in Active Directory, such as a user account, group, or organizational unit, the event is logged with this event.

It provides information about the object that was created, including its name, unique identifier (GUID), and location within the directory structure.

The Event ID helps administrators monitor and track object creations, ensuring accountability and compliance with administrative policies.

You must remember that this event alone does not indicate an error or problem, as it is a normal event that occurs during routine administrative tasks.

However, in some cases, it may indicate unauthorized object creations that require further investigation to ensure the security and integrity of the Active Directory environment.

Why do I get the Event ID 5137?

There could be several reasons for this event to occur; some of the common ones are:

  • Legitimate object creation – It may occur due to routine administrative activities, such as creating a new user account, group, or organizational units.
  • Misconfigurations or errors – This event may occur due to improper configurations or errors in Active Directory settings, including issues with permissions and synchronization processes.
  • Unauthorized object creation – Event ID 5137 may indicate unauthorized or suspicious object creation, which could be a sign of a security breach or malicious activity.

Now that you know the reasons, let us move to the next section to understand what needs to do

How can I fix the Event ID 5137 issues?

1. Review the event details & verify the legitimacy

  1. Press the Windows key, type event viewer, and click Open.Event Viewer event id 5137
  2. Go to Windows Logs, then Security.
  3. On the right pane, you will get the list of events logged.event id 5137 evetn viwer
  4. Locate Event ID 5137, select, and go to General. Check the security change and other modifications made for the file or folder.

If you think the change was legit, you donโ€™t have to take an action. However, if you feel otherwise, then you must move to the next step.

2. Audit Active Directory changes

  1. Press Windows + R to open the Run box.Device Manager Run command Event IS 5137
  2. Type gpedit.msc and click OK to open Group Policy Editor.
  3. Navigate to this path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit PolicyAudit policy
  4. Click Audit Policy and check all the policies listed in the right pane to ensure the settings are appropriate.

To keep an eye on changes made to the Active Directory, you can enable auditing of Active Directory. It must be configured to log relevant events, including object creations.

You must implement a centralized log management solution to consolidate and analyze the audit logs for prompt detection of suspicious activities.

If you already have the audit policy in place, review and update the permissions and access controls within Active Directory to ensure they are aligned with your organization’s security policies.

3. Use security assessment tools

To perform periodic security assessments and audits of your Active Directory infrastructure, we suggest using security assessment tools to scan for vulnerabilities in the environment in real time.

This will help you address any identified security gaps to reduce the likelihood of unauthorized object creation.

So, these are solutions that you can use to address Event ID 5137 effectively and ensure the integrity and security of your Active Directory environment.

To maintain a healthy and secure directory service, regular monitoring, proper configurations, and proactive security measures are critical.

If you are looking for the best practices for Active Directory, we suggest you check out this guide for solutions.

Please feel free to give us any information, tips, and your experience with the subject in the comments section below.

More about the topics: event log viewers, Event Viewer

User forum

0 messages