deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
448d4609d53a824310a481b47d34ff4fe9263e4d
windows-itpro-docs/windows/security/threat-protection/auditing/event-4902.md
Paolo Matarazzo ff98d60ced bulk metadata updates
2022-12-16 11:11:00 -05:00

2.6 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.reviewer, manager, ms.author, ms.technology, ms.topic
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.reviewer manager ms.author ms.technology ms.topic
4902(S) The Per-user audit policy table was created. (Windows 10) Describes security event 4902(S) The Per-user audit policy table was created. security windows-client deploy library none vinaypamnani-msft 09/07/2021 aaroncz vinpa itpro-security reference

4902(S): The Per-user audit policy table was created.

Event 4902 illustration

Subcategory: Audit Policy Change

Event Description:

This event generates during system startup if Per-user audit policy is defined on the computer.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4902</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13568</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" /> 
 <EventRecordID>1049490</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="556" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="PuaCount">1</Data> 
 <Data Name="PuaPolicyId">0x703e</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Number of Elements [Type = UInt32]: number of users for which Per-user policies were defined (number of unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user” command:

Auditpol list user illustration

Policy ID [Type = HexInt64]: unique per-User Audit Policy hexadecimal identifier.

Security Monitoring Recommendations

For 4902(S): The Per-user audit policy table was created.

  • If you dont expect to see any per-User Audit Policies enabled on specific computers (Computer), monitor for these events.

  • If you dont use per-User Audit Policies in your network, monitor for these events.

  • Typically this is an informational event and has little to no security relevance.