deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b5101b1fbd75f538e7af22d78524ea3b5335c587
windows-itpro-docs/windows/security/threat-protection/auditing/audit-user-device-claims.md
Paolo Matarazzo d6cd44eb56 (Windows 10)
2023-05-24 11:44:39 -04:00

44 lines
3.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Audit User/Device Claims
description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.technology: itpro-security
ms.topic: reference
---
# Audit User/Device Claims
Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**:
- Low on a client computer.
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4626](event-4626.md)(S): User/Device claims information.
Reference in New Issue View Git Blame Copy Permalink