deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-user-device-claims.md
Brian Lich fa5ddfcf9d changing from ms.prod: W10 to ms.prod: w10
2016-06-02 15:42:37 -07:00

3.0 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Audit User/Device Claims (Windows 10) This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. D3D2BFAF-F2C0-462A-9377-673DB49D5486 security w10 deploy library Mir0sh

Audit User/Device Claims

Applies to

  • Windows 10
  • Windows Server 2016

Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.

Important: Audit Logon subcategory must also be enabled in order to get events from this subcategory.

Event volume:

  • Low on a client computer.

  • Medium on a domain controller or network servers.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF No IF No IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server IF No IF No IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation IF No IF No IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4626(S): User/Device claims information.