We are monitoring changes on critical AD objects by event ID 4662. It usually does a good job reporting who initiated the change. Today we have an alert as below:
An operation was performed on an object.
Subject : Security ID: SYSTEM Account Name: DC1$ Account Domain: john.com Logon ID: 0x76AB862E
Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx},CN=Policies,CN=System,DC=john,DC=com Handle ID: 0x0
Operation: Operation Type: Object Access Accesses: Write Property
This is a normal event 4662 except that the subject is "System" of DC1. Why would the system account change a GPO?
Turns out that this is our Default Domain Controllers Policy. There wasn't a direct edit to the GPO. Rather, logon credential for a service on this DC was changed, which in turn added the new service account to "logon as service".