deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-30 22:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-sam.md
Brian Lich eb9290389d fixing spacing issues
2016-05-19 14:52:11 -07:00

54 lines
2.2 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Audit SAM (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Audit SAM
**Applies to**
- Windows 10
- Windows 10 Mobile
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
- SAM\_ALIAS: A local group
- SAM\_GROUP: A group that is not a local group
- SAM\_USER: A user account
- SAM\_DOMAIN: A domain
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
> **Note:**  Only the SACL for SAM\_SERVER can be modified.
 
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers
> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
 
Default setting: Not configured
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete.|
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested.|
| 4663 | An attempt was made to access an object.|
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 
Reference in New Issue View Git Blame Copy Permalink