Audit SAM
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
SAM_ALIAS: A local group
SAM_GROUP: A group that is not a local group
SAM_USER: A user account
SAM_DOMAIN: A domain
SAM_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Note
Only the SACL for SAM_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers
Note
For information about reducing the number of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698).
Default setting: Not configured
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
Event ID |
Event message |
|---|---|
4659 |
A handle to an object was requested with intent to delete. |
4660 |
An object was deleted. |
4661 |
A handle to an object was requested. |
4663 |
An attempt was made to access an object. |