Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

Audit SAM

Updated: June 15, 2009

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting allows you to audit events generated by attempts to access Security Accounts Manager (SAM) objects. SAM objects include the following:

  • SAM_ALIAS: A local group

  • SAM_GROUP: A group that is not a local group

  • SAM_USER: A user account

  • SAM_DOMAIN: A domain

  • SAM_SERVER: A computer account

If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.

noteNote
Only the SACL for SAM_SERVER can be modified.

Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files where the account and password information is stored in the system, bypassing any Account Management events.

Event volume: High on domain controllers

noteNote
For information about reducing the number of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=121698).

Default setting: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

 

Event ID Event message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.