diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
index 9dc8d45822..2c13953d7d 100644
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -98,17 +98,6 @@ To validate a UE-V settings location template with the UE-V template generator:
After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
-## Next steps
-
-## Share settings location templates with the Template Gallery
-
-Before you share a settings location template on the UE-V template gallery, ensure it doesn't contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
-
-- Template Author Name - Specify a general, non-identifying name for the template author name or exclude this data from the template.
-- Template Author Email - Specify a general, non-identifying template author email or exclude this data from the template.
-
-Before you deploy any settings location template that you've downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
-
## Related topics
[Administering UE-V](uev-administering-uev.md)
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 279791472e..41c8fe6d12 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -1,5 +1,5 @@
---
-title: 4913(S) Central Access Policy on the object was changed.
+title: 4913(S) Central Access Policy on the object was changed
description: Describes security event 4913(S) Central Access Policy on the object was changed.
ms.pagetype: security
ms.mktglfcycl: deploy
@@ -7,14 +7,13 @@ ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
-# 4913(S): Central Access Policy on the object was changed.
-
+# 4913(S): Central Access Policy on the object was changed
@@ -24,44 +23,45 @@ ms.topic: reference
This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.
-This event always generates, regardless of the object’s [SACL](/windows/win32/secauthz/access-control-lists) settings.
+This event always generates, regardless of the object's [SACL](/windows/win32/secauthz/access-control-lists) settings.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
-
***Event XML:***
-```
+
+```xml
-
-
-
- 4913
- 0
- 0
- 13570
- 0
- 0x8020000000000000
-
- 1183666
-
-
- Security
- DC01.contoso.local
-
+
+ 4913
+ 0
+ 0
+ 13570
+ 0
+ 0x8020000000000000
+
+ 1183666
+
+
+ Security
+ DC01.contoso.local
+
-
- S-1-5-21-3457937927-2839227994-823803824-1104
- dadmin
- CONTOSO
- 0x37901
- Security
- File
- C:\\Audit Files\\HBI Data.txt
- 0x3d4
- S:AI
- S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)
- 0x884
- C:\\Windows\\System32\\dllhost.exe
+ S-1-5-21-3457937927-2839227994-823803824-1104
+ dadmin
+ CONTOSO
+ 0x37901
+ Security
+ File
+ C:\\Audit Files\\HBI Data.txt
+ 0x3d4
+ S:AI
+ S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534)
+ 0x884
+ C:\\Windows\\System32\\dllhost.exe
```
@@ -82,7 +82,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@@ -90,17 +90,17 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
- Uppercase full domain name: CONTOSO.LOCAL
- - For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+ - For some [well-known security principals](/windows-server/identity/ad-ds/manage/understand-security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
- - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+ - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
-- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
**Object**:
-- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
+- **Object Server** \[Type = UnicodeString\]: has "**Security**" value for this event.
-- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **“File”** for this event.
+- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation. Always **"File"** for this event.
The following table contains the list of the most common **Object Types**:
@@ -118,7 +118,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
-- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
+- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, "[4663](event-4663.md)(S): An attempt was made to access an object." This parameter might not be captured in the event, and in that case appears as "0x0".
**Process:**
@@ -128,7 +128,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
+ You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID** field.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
@@ -136,29 +136,30 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
- **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object).
- SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps:
+ SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is "**S-1-17-1442530252-1178042555-1247349694-2318402534**". To resolve this SID to the real Central Access Policy name, you need to do the following steps:
-1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container.
+1. Find Central Access Policy Active Directory object in: "CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX" Active Directory container.
-2. Open object’s “**Properties**”.
+2. Open object's "**Properties**".
-3. Find “**msAuthz-CentralAccessPolicyID**” attribute.
+3. Find "**msAuthz-CentralAccessPolicyID**" attribute.
-4. Convert hexadecimal value to SID (string). Here you can see more information about how to perform this action: .
+4. Convert hexadecimal value to SID (string).
-> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example “**S:AI**”.
+> If no Central Access Policies were applied to the object, then SDDL will not contain any SIDs, for example "**S:AI**".
- **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
-> **Note** The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
->
+> [!NOTE]
+> The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
+>
> Example:
->
-> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
->
-> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
+>
+> `*O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)`
+>
+> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
> See the list of possible values in the table below:
| Value | Description | Value | Description |
@@ -193,13 +194,13 @@ Example: D:(A;;FA;;;WD)
- entry\_type:
-“D” - DACL
+"D" - DACL
-“S” - SACL
+"S" - SACL
- inheritance\_flags:
-"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
+"P" - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set.
@@ -231,7 +232,7 @@ Example: D:(A;;FA;;;WD)
"NP" - NO PROPAGATE: only immediate children inherit this ace.
-"IO" - INHERITANCE ONLY: ace doesn’t apply to this object, but may affect children via inheritance.
+"IO" - INHERITANCE ONLY: ace doesn't apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
@@ -262,24 +263,26 @@ Example: D:(A;;FA;;;WD)
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
-For more information about SDDL syntax, see these articles: , .
+For more information about SDDL syntax, see these articles:
+
+- [2.5.1.1 Syntax](/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070)
+- [ACCESS_MASK](/windows/win32/secauthz/access-mask)
## Security Monitoring Recommendations
For 4913(S): Central Access Policy on the object was changed.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
+- If you need to monitor events related to specific Windows object types ("**Object Type**"), for example **File** or **Key**, monitor this event for the corresponding "**Object Type**."
-- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the “**Object Name**” that corresponds to the file or folder.
+- If you need to monitor all changes to specific files or folders (in this case, changes to the Central Access Policy), monitor for the "**Object Name**" that corresponds to the file or folder.
-- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+- If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
-- You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if "**Process Name**" isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-
+- If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
-- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-
-- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
\ No newline at end of file
+- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in "**New Security Descriptor**" to see if it matches the expected policy.