deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/audit-sam.md
Nicholas Brower 1ae3f0b230 Merged PR 4822: "msdate update (generated from most recent commit date)" 
"msdate update (generated from most recent commit date)"
2017-12-05 22:36:05 +00:00

3.5 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.date
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author ms.date
Audit SAM (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. 1d00f955-383d-4c95-bbd1-fab4a991a46e security w10 deploy library Mir0sh 04/19/2017

Audit SAM

Applies to

  • Windows 10
  • Windows Server 2016

Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.

The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.

  • SAM objects include the following:

  • SAM_ALIAS: A local group

  • SAM_GROUP: A group that is not a local group

  • SAM_USER: A user account

  • SAM_DOMAIN: A domain

  • SAM_SERVER: A computer account

If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.

Only a SACL for SAM_SERVER can be modified.

Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.

Event volume: High on domain controllers.

For information about reducing the number of events generated in this subcategory, see KB841001.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller - - - - There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at Security Account Manager level.
Member Server - - - - There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at Security Account Manager level.
Workstation - - - - There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at Security Account Manager level.

Events List:

  • 4661(S, F): A handle to an object was requested.