How is Sam audit log triggered?

King Xi 21 Reputation points
2020-09-24T09:58:55.553+00:00

Please help me to explain how the SAM alarm in the figure below is triggered,And can you help me explain the samr agreement.Thank you very much!27987-sam1.png27998-sam5.png

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,941 questions
0 comments
Accepted answer
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-09-24T10:39:57.077+00:00

    Hello @King Xi ,

    Thank you for posting here.

    From the link below, we can see, if we configure the following 3 group policy settings under GPO (Default Domain Policy).

    1.Computer Configuration\Windows settings\security settings\local policies\audit policy\Audit Directory Service Access =>Audit Success and Failure

    2.Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit SAM =>Audit Success and Failure

    3.Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Handle Manipulation => Audit Success and Failure

    4661(S, F): A handle to an object was requested.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661

    Then run the following commands on DCs and domain-joined clients.

    gpupdate /force
    auditpol /get /category:*

    If we access C:\Windows\System32\config\SAM file, the event ID 4661 will be generate.
    28071-sam1.png

    And about SAM, we can refer to the link below.

    Security Account Manager
    https://en.wikipedia.org/wiki/Security_Account_Manager

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-09-28T09:25:18.96+00:00

    Hello @King Xi ,

    Thank you for your update.

    Based on the test in my lab, I found if one domain user logs on one domain-joined client, then after he/she clicks Ctrl+Alt+Del and changes her/his password, I will see the same description on DC as above you mentioned.

    28658-cha1.png

    Hope the information helpful.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
  2. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2020-09-25T08:00:01.403+00:00

    Hello @King Xi ,

    Thank you for your update.

    From the link below, we can see:

    This event is logged by multiple subcategories as indicated above.

    Most objects, when opened (handle request), generate event 4656 but when you open a SAM object you get 4661 instead.

    Some AD objects also double as SAM objects and some properties of those objects double as SAM attributes. This event is logged when opening such SAM objects such as SAM_DOMAIN or SAM_USER.

    When the object is closed you get event ID 4658 with the same handle ID.

    4661: A handle to an object was requested
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4661

    On the client, we can access C:\Windows\System32\config\SAM file, I can see Event ID 4656 and Event ID 4658.

    28268-456.png

    Hope the information helpful.

    Best Regards,
    Daisy Zhou