Directory Service Change auditing needs to be enabled.
Use the following commands:
Get current audit settings:
auditpol /get /category:*
Confirm that Advanced Auditing is enabled:
reg query HKLM\System\CurrentControlSet\Control\LSA /v SCENoApplyLegacyAuditPolicy
Enable Directory Service Change auditing:
Audit Directory Service Changes
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes
AD Audit Configuration
https://docs.utmstack.com/books/ad-auditor/page/ad-audit
Note that auditing also needs to be enabled on the AD objects themselves. This typically means adding a System Access Control List (SACL) at the root of the object hierarchies, specifying that modifications and deletes are audited. These should be added to the root of the domain in AD Users and Computers (dsa.msc), and the root of the Sites config container in AD Sites and Services (dssite.msc).
If all is configured correctly, there should be plenty of change events (Event Id 5136) in the security event log, due to objects are frequently changed during normal operation. You can also test creation/deletion of objects to create 5137 and 5141 events, respectively.
