Audit User/Device Claims

Applies to

  • Windows 10
  • Windows Server 2016

Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.

For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.

Important: Audit Logon subcategory must also be enabled in order to get events from this subcategory.

Event volume:

  • Low on a client computer.

  • Medium on a domain controller or network servers.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF No IF No IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server IF No IF No IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation IF No IF No IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4626(S): User/Device claims information.