mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #6038 from MicrosoftDocs/v-mathavale-5560668-part6
5560668-part6
This commit is contained in:
Diana Hanson
GitHub
commit
be8a7c2a78
@ -83,7 +83,7 @@ This event is generated when workstation was unlocked.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -83,7 +83,7 @@ This event is generated when screen saver was invoked.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -83,7 +83,7 @@ This event is generated when screen saver was dismissed.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ Separate events will be generated for “Registry” and “File system” polic
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ For example, it generates when a new [Central Access Policy](/windows-server/ide
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -93,7 +93,7 @@ This event is generated only on domain controllers.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ This event contains new values only, it doesn’t contains old values and it doe
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ You can typically see this event during system startup, if specific roles (Inter
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ This event doesn't generate for Active Directory objects.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ Resource attributes for file or folder can be changed, for example, using Window
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ ms.technology: windows-sec
|
||||
# 4937(S): A lingering object was removed from a replica.
|
||||
|
||||
|
||||
This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica.
|
||||
This event generates when a [lingering object](/troubleshoot/windows-server/identity/information-lingering-objects) was removed from a replica.
|
||||
|
||||
There is no example of this event in this document.
|
||||
|
||||
|
||||
@ -111,7 +111,7 @@ This event occurs when an account that is a member of any defined [Special Group
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
@ -139,7 +139,7 @@ This event occurs when an account that is a member of any defined [Special Group
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -87,7 +87,7 @@ This is an informational event from file system [Transaction Manager](/windows/w
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ You can see these events, for example, during certificate renewal or export oper
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates when a cryptographic key is exported or imported using a [K
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates when a cryptographic operation (open key, create key, creat
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ For a change operation you will typically see two 5136 events for one action, wi
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -90,7 +90,7 @@ This event only generates if the parent object has a particular entry in its [SA
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ This event only generates if the container to which the Active Directory object
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ This event only generates if the destination object has a particular entry in it
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates once per session, when first access attempt was made.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ This event only generates if the deleted object has a particular entry in its [S
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates every time network share object was modified.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -83,7 +83,7 @@ This event generates every time a network share object is deleted.
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ This event generates every time network share object (file or folder) was access
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@ It often happens because of NTLMv1 or LM protocols usage from client side when
|
||||
|
||||
- Uppercase full domain name: CONTOSO.LOCAL
|
||||
|
||||
- For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
- For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
|
||||
|
||||
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user