2.2 KiB
title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, author
| title | description | ms.assetid | ms.prod | ms.mktglfcycl | ms.sitesec | author |
|---|---|---|---|---|---|---|
| Audit User/Device Claims (Windows 10) | This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims. | D3D2BFAF-F2C0-462A-9377-673DB49D5486 | W10 | deploy | library | brianlic-msft |
Audit User/Device Claims
Applies to
- Windows 10
This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
Event volume:
Default: Not configured
| Event ID | Event message |
|---|---|
4626 |
User / Device claims information. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type:%9 New Logon: Security ID: %5 Account Name: %6 Account Domain: %7 Logon ID: %8 Event in sequence: %10 of %11 User Claims: %12 Device Claims: %13 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session. |
Related topics
Advanced security audit policy settings