mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 20:33:42 +00:00
3.1 KiB
3.1 KiB
title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.technology, ms.topic
| title | description | ms.assetid | ms.reviewer | manager | ms.author | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.localizationpriority | author | ms.date | ms.technology | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Audit User/Device Claims | Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims. | D3D2BFAF-F2C0-462A-9377-673DB49D5486 | aaroncz | vinpa | security | windows-client | deploy | library | none | vinaypamnani-msft | 09/06/2021 | itpro-security | reference |
Audit User/Device Claims
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Important: Enable the Audit Logon subcategory in order to get events from this subcategory.
Event volume:
-
Low on a client computer.
-
Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
- 4626(S): User/Device claims information.