mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
5560668-part4
This commit is contained in:
Meghana Athavale
parent
0f577240e4
commit
333a0ccb6a
@ -110,7 +110,7 @@ You typically will see many of these events in the event log, because every logo
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ Failure event generates when service call attempt fails.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ Failure event generates when operation attempt fails.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -108,7 +108,7 @@ This event generates every time a new process starts.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
|
||||
|
||||
@ -132,7 +132,7 @@ This event generates every time a new process starts.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ This event generates every time a process has exited.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ This event generates if an attempt was made to duplicate a handle to an object.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ Failure event generates when a Master Key backup operation fails for some reason
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ Failure event generates when a Master Key restore operation fails for some reaso
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates every time a process runs using the non-current access toke
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -134,7 +134,7 @@ This event generates every time a process runs using the non-current access toke
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -87,7 +87,7 @@ This event generates when new service was installed in the system.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event generates every time a new scheduled task is created.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event generates every time a scheduled task was deleted.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event generates every time a scheduled task is enabled.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event generates every time a scheduled task is disabled.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event generates every time scheduled task was updated/changed.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ Token privileges provide the ability to take certain system-level actions that y
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -116,7 +116,7 @@ Token privileges provide the ability to take certain system-level actions that y
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ You will see unique event for every user.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ You will see unique event for every user.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ You will see unique event for every user if logon user rights were granted to mu
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -86,7 +86,7 @@ You will see unique event for every user if logon user rights were removed for m
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -105,7 +105,7 @@ This event generates on domain controllers, member servers, and workstations.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -157,7 +157,7 @@ Typically, **Primary Group** field for new user accounts has the following value
|
||||
|
||||
- 513 (Domain Users. For local accounts this RID means Users) – for domain and local users.
|
||||
|
||||
See this article <https://support.microsoft.com/kb/243330> for more information. This parameter contains the value of **primaryGroupID** attribute of new user object.
|
||||
See this article </windows/security/identity-protection/access-control/security-identifiers> for more information. This parameter contains the value of **primaryGroupID** attribute of new user object.
|
||||
|
||||
<!-- -->
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ For computer accounts, this event generates only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ Typically you will see 4723 events with the same **Subject\\Security ID** and **
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user