deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b5101b1fbd75f538e7af22d78524ea3b5335c587
windows-itpro-docs/windows/security/threat-protection/auditing/audit-sam.md
Paolo Matarazzo d6cd44eb56 (Windows 10)
2023-05-24 11:44:39 -04:00

54 lines
3.4 KiB
Markdown
Raw Blame History

---
title: Audit SAM
description: The Advanced Security Audit policy setting, Audit SAM, enables you to audit events generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
ms.topic: reference
---
# Audit SAM
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
- SAM objects include the following:
- SAM\_ALIAS: A local group
- SAM\_GROUP: A group that is not a local group
- SAM\_USER: A user account
- SAM\_DOMAIN: A domain
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Only a [SACL](/windows/win32/secauthz/access-control-lists) for SAM\_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
**Event volume**: High on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
**Events List:**
- [4661](event-4661.md)(S, F): A handle to an object was requested.
Reference in New Issue View Git Blame Copy Permalink