deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-04 16:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/auditing/event-4902.md
Daniel Simpson c4e79e54fe mega metadata update
2021-10-28 11:16:23 -07:00

2.6 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.reviewer, manager, ms.author, ms.technology
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.reviewer manager ms.author ms.technology
4902(S) The Per-user audit policy table was created. (Windows 10) Describes security event 4902(S) The Per-user audit policy table was created. security m365-security deploy library none dansimp 09/07/2021 dansimp dansimp windows-sec

4902(S): The Per-user audit policy table was created.

Event 4902 illustration

Subcategory: Audit Policy Change

Event Description:

This event generates during system startup if Per-user audit policy is defined on the computer.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4902</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13568</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" /> 
 <EventRecordID>1049490</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="556" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="PuaCount">1</Data> 
 <Data Name="PuaPolicyId">0x703e</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Number of Elements [Type = UInt32]: number of users for which Per-user policies were defined (number of unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user” command:

Auditpol list user illustration

Policy ID [Type = HexInt64]: unique per-User Audit Policy hexadecimal identifier.

Security Monitoring Recommendations

For 4902(S): The Per-user audit policy table was created.

  • If you dont expect to see any per-User Audit Policies enabled on specific computers (Computer), monitor for these events.

  • If you dont use per-User Audit Policies in your network, monitor for these events.

  • Typically this is an informational event and has little to no security relevance.