deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
c19fa00cc3ec2d444be06aec695c70a841f15c40
windows-itpro-docs/windows/security/threat-protection/auditing/event-4902.md
get-itips 90972e598f Several metadata changes 
added ms.reviewer and manager using ms.date
2019-05-30 10:01:13 -03:00

2.6 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.reviewer, manager, ms.author
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.reviewer manager ms.author
4902(S) The Per-user audit policy table was created. (Windows 10) Describes security event 4902(S) The Per-user audit policy table was created. security w10 deploy library none dansimp 04/19/2017 dansimp dansimp

4902(S): The Per-user audit policy table was created.

Applies to

  • Windows 10
  • Windows Server 2016
Event 4902 illustration

Subcategory: Audit Policy Change

Event Description:

This event generates during system startup if Per-user audit policy is defined on the computer.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4902</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13568</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-01T00:05:25.814466500Z" /> 
 <EventRecordID>1049490</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="556" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="PuaCount">1</Data> 
 <Data Name="PuaPolicyId">0x703e</Data> 
 </EventData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Field Descriptions:

Number of Elements [Type = UInt32]: number of users for which Per-user policies were defined (number of unique users). You can get the list of users for which Per-user policies are defined using “auditpol /list /user” command:

Auditpol list user illustration

Policy ID [Type = HexInt64]: unique per-User Audit Policy hexadecimal identifier.

Security Monitoring Recommendations

For 4902(S): The Per-user audit policy table was created.

  • If you dont expect to see any per-User Audit Policies enabled on specific computers (Computer), monitor for these events.

  • If you dont use per-User Audit Policies in your network, monitor for these events.

  • Typically this is an informational event and has little to no security relevance.