deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-mathavale-5560668-part8

Browse Source
This commit is contained in:
Gary Moore
2021-12-14 18:49:15 -08:00
committed by GitHub
parent 7c7d444c67 348a59dd8d
commit 795ea4d318
30 changed files with 244 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/auditing/event-4724.md
View File

@ -95,7 +95,7 @@ For local accounts, a Failure event generates if the new password fails to meet
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4725.md
View File

@ -89,7 +89,7 @@ For computer accounts, this event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4726.md
View File

@ -88,7 +88,7 @@ This event generates on domain controllers, member servers, and workstations.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4731.md
View File

@ -90,7 +90,7 @@ This event generates on domain controllers, member servers, and workstations.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

4
windows/security/threat-protection/auditing/event-4732.md
View File

@ -93,7 +93,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
@ -103,7 +103,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
> **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>

4
windows/security/threat-protection/auditing/event-4733.md
View File

@ -93,7 +93,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
@ -103,7 +103,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
> **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>

2
windows/security/threat-protection/auditing/event-4734.md
View File

@ -88,7 +88,7 @@ This event generates on domain controllers, member servers, and workstations.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4735.md
View File

@ -97,7 +97,7 @@ From 4735 event you can get information about changes of **sAMAccountName** and
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

51
windows/security/threat-protection/auditing/event-4738.md
View File

@ -16,10 +16,9 @@ ms.technology: windows-sec
# 4738(S): A user account was changed.
:::image type="content" source="images/event-4738.png" alt-text="Event 4738 illustration.":::
<img src="images/event-4738.png" alt="Event 4738 illustration" width="449" height="771" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit User Account Management](audit-user-account-management.md)
***Subcategory:*** [Audit User Account Management](audit-user-account-management.md)
***Event Description:***
@ -29,16 +28,16 @@ This event generates on domain controllers, member servers, and workstations.
For each change, a separate 4738 event will be generated.
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as `-`. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4738 event will generate, but all attributes will be `-`.
Some changes do not invoke a 4738 event.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
**Event XML:**
***Event XML:***
```
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -101,7 +100,8 @@ Some changes do not invoke a 4738 event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change user account” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change user account” operation.
@ -113,7 +113,7 @@ Some changes do not invoke a 4738 event.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
@ -145,7 +145,7 @@ Unfortunately, for local accounts, all fields, except changed attributes, will h
- **Display Name** \[Type = UnicodeString\]: it is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. If the value of **displayName** attribute of user object was changed, you will see the new value here. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always has “-“ value.
- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. If the value of **userPrincipalName** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always has `-` value.
- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
@ -155,7 +155,7 @@ Unfortunately, for local accounts, all fields, except changed attributes, will h
- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. If the value of **profilePath** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always appears as “**&lt;value not set&gt;**.“
- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. If the value of **userWorkstations** attribute of user object was changed, you will see the new value here. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. For local accounts, this field is not applicable and always appears as `<value not set>`.
- **Password Last Set** \[Type = UnicodeString\]**:** last time the accounts password was modified. If the value of **pwdLastSet** attribute of user object was changed, you will see the new value here. For example: 8/12/2015 11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local accounts, this field always has some value—if the account's attribute was not changed it will contain the current value of the attribute.
@ -163,7 +163,8 @@ Unfortunately, for local accounts, all fields, except changed attributes, will h
- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of users object primary group.
> **Note**&nbsp;&nbsp;**Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
> [!NOTE]
> **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
This field will contain some value if users object primary group was changed. You can change users primary group using Active Directory Users and Computers management console in the **Member Of** tab of user object properties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a default primary group for users.
@ -171,7 +172,7 @@ Typical **Primary Group** values for user accounts:
- 513 (Domain Users. For local accounts this RID means Users) for domain and local users.
See this article <https://support.microsoft.com/kb/243330> for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here.
See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here.
<!-- -->
@ -183,17 +184,18 @@ Typical **Primary Group** values for user accounts:
If the value of **msDS-AllowedToDelegateTo** attribute of user object was changed, you will see the new value here.
The value can be “**&lt;value not set&gt;**”, for example, if delegation was disabled.
The value can be `<value not set>`, for example, if delegation was disabled.
For local accounts, this field is not applicable and always has “-“ value.
For local accounts, this field is not applicable and always has `-` value.
> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
To decode this value, you can go through the property value definitions in the [Users or Computers account UAC flags.](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
To decode this value, you can go through the property value definitions in the [Users or Computers account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
Here's an example: Flags value from event: 0x15
@ -223,9 +225,9 @@ Decoding:
So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [Users or Computers account UAC flags](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [Users or Computers account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of users account properties, then you will see **&lt;value changed, but not displayed&gt;** in this field. For local accounts, this field is not applicable and always has &lt;value not set&gt; value.
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of users account properties, then you will see `<value changed, but not displayed>` in this field. For local accounts, this field is not applicable and always has `<value not set>` value.
- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of user object was changed, you will see the new value here.
@ -249,7 +251,8 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
For 4738(S): A user account was changed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Some organizations monitor every [4738](event-4738.md) event.
@ -260,16 +263,16 @@ For 4738(S): A user account was changed.
- Consider whether to track the following fields:
| **Field to track** | **Reason to track** |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|
| **Display Name**<br>**User Principal Name**<br>**Home Directory**<br>**Home Drive**<br>**Script Path**<br>**Profile Path**<br>**User Workstations**<br>**Password Last Set**<br>**Account Expires**<br>**Primary Group ID<br>Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. |
| **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked `<value not set>` | If **AllowedToDelegateTo** is marked `<value not set>` on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
- Consider whether to track the following user account control flags:
| **User account control flag to track** | **Information about the flag** |
|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|
| **'Normal Account'** Disabled | Should not be disabled for user accounts. |
| **'Password Not Required'** Enabled | Should not typically be enabled for user accounts because it weakens security for the account. |
| **'Encrypted Text Password Allowed'** Enabled | Should not typically be enabled for user accounts because it weakens security for the account. |

2
windows/security/threat-protection/auditing/event-4739.md
View File

@ -116,7 +116,7 @@ This event generates when one of the following changes was made to local compute
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4740.md
View File

@ -87,7 +87,7 @@ For user accounts, this event generates on domain controllers, member servers, a
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

78
windows/security/threat-protection/auditing/event-4741.md
View File

@ -27,12 +27,12 @@ This event generates every time a new computer object is created.
This event generates only on domain controllers.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
> [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
```
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -95,7 +95,8 @@ This event generates only on domain controllers.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create Computer object” operation.
@ -107,7 +108,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
@ -129,27 +130,28 @@ This event generates only on domain controllers.
- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new computer object. For example: WIN81$.
- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new computer object. It is a name displayed in the address book for a particular account (typically user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new computer object. It is a name displayed in the address book for a particular account (typically user account). This is usually the combination of the user's first name, middle initial, and last name. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** accounts attribute. The drive letter must be specified in the form DRIVE\_LETTER:. For example “H:”. This parameter contains the value of **homeDrive** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** accounts attribute. The drive letter must be specified in the form `DRIVE\_LETTER:`. For example `H:`. This parameter contains the value of **homeDrive** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account's logon script. This parameter contains the value of **scriptPath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account's logon script. This parameter contains the value of **scriptPath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. This parameter contains the value of **userWorkstations** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a computer object. This parameter contains the value of **userWorkstations** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Password Last Set** \[Type = UnicodeString\]**:** last time the accounts password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value “**&lt;never&gt;”**. For computer account created during standard domain join procedure this field will contains time when computer object was created, because password creates during domain join procedure. For example: 8/12/2015 11:41:39 AM. This parameter contains the value of **pwdLastSet** attribute of new computer object.
- **Password Last Set** \[Type = UnicodeString\]**:** last time the accounts password was modified. For manually created computer account, using Active Directory Users and Computers snap-in, this field typically has value `<never>`. For computer account created during standard domain join procedure this field will contains time when computer object was created, because password creates during domain join procedure. For example: 8/12/2015 11:41:39 AM. This parameter contains the value of **pwdLastSet** attribute of new computer object.
- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as `-`.
- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computers object primary group.
> **Note**&nbsp;&nbsp;**Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
> [!NOTE]
> **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
Typically, **Primary Group** field for new computer accounts has the following values:
@ -159,15 +161,16 @@ Typically, **Primary Group** field for new computer accounts has the following v
- 515 (Domain Computers) for member servers and workstations.
See this article <https://support.microsoft.com/kb/243330> for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object.
See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object.
<!-- -->
- **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. Typically it is set to “**-“** for new computer objects. This parameter contains the value of **AllowedToDelegateTo** attribute of new computer object. See description of **AllowedToDelegateTo** field for “[4742](event-4742.md): A computer account was changed” event for more details.
- **AllowedToDelegateTo** \[Type = UnicodeString\]: the list of SPNs to which this account can present delegated credentials. Can be changed using Active Directory Users and Computers management console in **Delegation** tab of computer account. Typically it is set to `-` for new computer objects. This parameter contains the value of **AllowedToDelegateTo** attribute of new computer object. See description of **AllowedToDelegateTo** field for “[4742](event-4742.md): A computer account was changed” event for more details.
> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always **“0x0”** for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
@ -201,10 +204,10 @@ Decoding:
So this UAC flags value decodes to: LOCKOUT and SCRIPT
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
| <span id="User_or_Computer_account_UAC_flags" class="anchor"></span>Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
|-------------------------------------------------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
|---|---|---|---|---|
| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled<br>Account Enabled |
| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
@ -231,15 +234,15 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
> <span id="_Ref433117054" class="anchor"></span>Table 7. Users or Computers account UAC flags.
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computers account properties, then you will see **&lt;value changed, but not displayed&gt;** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computers account properties, then you will see `<value changed, but not displayed>` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`.
- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”.
- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as `-`.
- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **&lt;value not set&gt;** value for new created computer accounts in event 4741.
- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see `<value not set>` value for new created computer accounts in event 4741.
- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value `-`.
- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation<b>:</b>
- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals `-`. This is an example of **Service Principal Names** field for new domain joined workstation:
HOST/Win81.contoso.local
@ -251,10 +254,10 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
**Additional Information:**
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as `-`. See full list of user privileges in the table below:
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|---|
| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
@ -297,27 +300,28 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
For 4741(S): A computer account was created.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If your information security monitoring policy requires you to monitor computer account creation, monitor this event.
- Consider whether to track the following fields and values:
| **Field and value to track** | **Reason to track** |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **SAM Account Name**: empty or - | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly. |
|---|---|
| **SAM Account Name**: empty or `-` | This field must contain the computer account name. If it is empty or **-**, it might indicate an anomaly. |
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**AllowedToDelegateTo** is not - | Typically these fields are **-** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** is **&lt;never&gt;** | This typically means this is a manually created computer account, which you might need to monitor. |
| **Account Expires** is not **&lt;never&gt;** | Typically this field is **&lt;never&gt;** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** is `<never>` | This typically means this is a manually created computer account, which you might need to monitor. |
| **Account Expires** is not `<never>` | Typically this field is `<never>` for new computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Primary Group ID** is any value other than 515. | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>If the **Primary Group ID** is 516 or 521, it is a new domain controller or RODC, and the event should be monitored.<br>If the value is not 516, 521, or 515, it is not a typical value and should be monitored. |
| **Old UAC Value** is not 0x0 | Typically this field is **0x0** for new computer accounts. Other values might indicate an anomaly and should be monitored. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
| **Logon Hours** value other than **&lt;value not set&gt;** | This should always be **&lt;value not set&gt;** for new computer accounts. |
| **SID History** is not `-` | This field will always be set to - unless the account was migrated from another domain. |
| **Logon Hours** value other than `<value not set>` | This should always be `<value not set>` for new computer accounts. |
- Consider whether to track the following account control flags:
| **User account control flag to track** | **Information about the flag** |
|--------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|
| **'Encrypted Text Password Allowed'** Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. |
| **'Server Trust Account'** Enabled | Should be enabled **only** for domain controllers. |
| **'Don't Expire Password'** Enabled | Should not be enabled for new computer accounts, because the password automatically changes every 30 days by default. For computer accounts, this flag cannot be set in the account properties in Active Directory Users and Computers. |

55
windows/security/threat-protection/auditing/event-4742.md
View File

@ -16,10 +16,9 @@ ms.technology: windows-sec
# 4742(S): A computer account was changed.
:::image type="content" source="images/event-4742.png" alt-text="Event 4742 illustration":::
<img src="images/event-4742.png" alt="Event 4742 illustration" width="449" height="781" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Computer Account Management](audit-computer-account-management.md)
***Subcategory:*** [Audit Computer Account Management](audit-computer-account-management.md)
***Event Description:***
@ -33,16 +32,19 @@ For each change, a separate 4742 event will be generated.
Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
You might see this event without any changes inside, that is, where all **Changed Attributes** appear as `-`. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4742 event will generate, but all attributes will be `-`.
***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
> [!IMPORTANT]
>
> - If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
>
> - For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -106,7 +108,8 @@ You might see this event without any changes inside, that is, where all **Change
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change Computer object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
> [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change Computer object” operation.
@ -118,7 +121,7 @@ You might see this event without any changes inside, that is, where all **Change
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
@ -138,7 +141,8 @@ You might see this event without any changes inside, that is, where all **Change
**Changed Attributes:**
> **Note**&nbsp;&nbsp;If attribute was not changed it will have “-“ value.
> [!NOTE]
> If attribute was not changed it will have `-` value.
- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of computer object was changed, you will see the new value here. For example: WIN8$.
@ -148,7 +152,7 @@ You might see this event without any changes inside, that is, where all **Change
- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. If the value of **homeDirectory** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** accounts attribute. The drive letter must be specified in the form DRIVE\_LETTER:. For example “H:”. If the value of **homeDrive** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** accounts attribute. The drive letter must be specified in the form `DRIVE\_LETTER:`. For example `H:`. If the value of **homeDrive** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the accounts logon script. If the value of **scriptPath** attribute of computer object was changed, you will see the new value here. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
@ -162,7 +166,8 @@ You might see this event without any changes inside, that is, where all **Change
- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of computers object primary group.
> **Note**&nbsp;&nbsp;**Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
> [!NOTE]
> **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
This field will contain some value if computers object primary group was changed. You can change computers primary group using Active Directory Users and Computers management console in the **Member Of** tab of computer object properties. You will see a RID of new primary group as a field value. For example, 515 (Domain Computers) for workstations, is a default primary group.
@ -174,7 +179,7 @@ Typical **Primary Group** values for computer accounts:
- 515 (Domain Computers) servers and workstations.
See this article <https://support.microsoft.com/kb/243330> for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here.
See the [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers) for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here.
<!-- -->
@ -186,9 +191,10 @@ Typical **Primary Group** values for computer accounts:
If the value of **msDS-AllowedToDelegateTo** attribute of computer object was changed, you will see the new value here.
The value can be **&lt;value not set&gt;**, for example, if delegation was disabled.
The value can be `<value not set>`, for example, if delegation was disabled.
> **Note**&nbsp;&nbsp;**Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of **userAccountControl** attribute of computer object.
@ -228,7 +234,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
<!-- -->
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computers account properties, then you will see **&lt;value changed, but not displayed&gt;** in this field.
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computers account properties, then you will see `<value changed, but not displayed>` in this field.
- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. If the value of **sIDHistory** attribute of computer object was changed, you will see the new value here.
@ -254,13 +260,14 @@ TERMSRV/Win81.contoso.local
**Additional Information:**
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in “Table 8. User Privileges.”.
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as `-`. See full list of user privileges in “Table 8. User Privileges.”.
## Security Monitoring Recommendations
For 4742(S): A computer account was changed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
> [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have critical domain computer accounts (database servers, domain controllers, administration workstations, and so on) for which you need to monitor each change, monitor this event with the **“Computer Account That Was Changed\\Security ID”** that corresponds to the high-value account or accounts.
@ -269,17 +276,17 @@ For 4742(S): A computer account was changed.
- Consider whether to track the following fields and values:
| **Field and value to track** | **Reason to track** |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. |
|---|---|
| **Display Name** is not -<br>**User Principal Name** is not -<br>**Home Directory** is not -<br>**Home Drive** is not -<br>**Script Path** is not -<br>**Profile Path** is not -<br>**User Workstations** is not -<br>**Account Expires** is not -<br>**Logon Hours** is not - | Typically these fields are `-` for computer accounts. Other values might indicate an anomaly and should be monitored. |
| **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. |
| **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:<br>**516** for domain controllers<br>**521** for read only domain controllers (RODCs)<br>**515** for servers and workstations (domain computers)<br>Other values should be monitored. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **&lt;value not set&gt;** | If **AllowedToDelegateTo** is marked **&lt;value not set&gt;** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. |
| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked `<value not set>` | If **AllowedToDelegateTo** is marked `<value not set>` on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. |
| **SID History** is not - | This field will always be set to `-` unless the account was migrated from another domain. |
- Consider whether to track the following account control flags:
| **User account control flag to track** | **Information about the flag** |
|---------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|
| **'Password Not Required'** Enabled | Should not be set for computer accounts. Computer accounts typically require a password by default, except manually created computer objects. |
| **'Encrypted Text Password Allowed'** Enabled | Should not be set for computer accounts. By default, it will not be set, and it cannot be set in the account properties in Active Directory Users and Computers. |
| **'Server Trust Account'** Enabled | Should be enabled **only** for domain controllers. |

2
windows/security/threat-protection/auditing/event-4743.md
View File

@ -88,7 +88,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”

2
windows/security/threat-protection/auditing/event-4749.md
View File

@ -90,7 +90,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”

2
windows/security/threat-protection/auditing/event-4750.md
View File

@ -97,7 +97,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”

4
windows/security/threat-protection/auditing/event-4751.md
View File

@ -97,7 +97,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
<!-- -->
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
<!-- -->
@ -107,7 +107,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
- **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>

4
windows/security/threat-protection/auditing/event-4752.md
View File

@ -91,7 +91,7 @@ For every removed member you will get separate 4752 event.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
@ -99,7 +99,7 @@ For every removed member you will get separate 4752 event.
- **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>

2
windows/security/threat-protection/auditing/event-4753.md
View File

@ -88,7 +88,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”

2
windows/security/threat-protection/auditing/event-4764.md
View File

@ -91,7 +91,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4767.md
View File

@ -87,7 +87,7 @@ For user accounts, this event generates on domain controllers, member servers, a
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4776.md
View File

@ -86,7 +86,7 @@ This event does *not* generate when a domain account logs on locally to a domain
> **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
- **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](https://support.microsoft.com/kb/243330) account name. Examples:
- **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](/windows/security/identity-protection/access-control/security-identifiers) account name. Examples:
- User example: dadmin

2
windows/security/threat-protection/auditing/event-4778.md
View File

@ -82,7 +82,7 @@ This event also generates when user reconnects to virtual host Hyper-V Enhanced
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4779.md
View File

@ -82,7 +82,7 @@ This event also generated when user disconnects from virtual host Hyper-V Enhanc
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4781.md
View File

@ -91,7 +91,7 @@ For computer accounts, this event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4793.md
View File

@ -93,7 +93,7 @@ Note that starting with Microsoft SQL Server 2005, the “SQL Server password po
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4794.md
View File

@ -86,7 +86,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4798.md
View File

@ -87,7 +87,7 @@ This event generates when a process enumerates a user's security-enabled local g
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4799.md
View File

@ -89,7 +89,7 @@ This event doesn't generate when group members were enumerated using Active Dire
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

2
windows/security/threat-protection/auditing/event-4800.md
View File

@ -83,7 +83,7 @@ This event is generated when a workstation was locked.
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.