Event 5379

Mikhail Firsov 1,876 Reputation points
2022-10-12T14:53:50.277+00:00

Hello!

There are two HV hosts in my network: Host1 and Host2. They have exactly the same hardware and the same OS versions were deployed to both hosts - Windows Server 2022 (from the same iso).

Here are the audit policy and the contents of Security logs of Host1 and Host2:

Host1:
249738-1.png

249802-1-1.png

As you see the Host1's Security log contains events it should contain - the events from the Object Access category.

Host2:
249775-2.png

249784-2-1.png

Host2's Security log is cluttered with the event 5379 from the User Account Manager category.

Q1: What makes these events 5379 appear in the log if there's no single audit policy enabled on Host2?

Q2: Why this does not happen on Host1?

Thank you in advance,
Michael

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,406 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,316 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
423 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
521 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2022-10-21T03:17:14.113+00:00

    Hello MikhailFirsov-1277,

    Thank you for your reply.

    1) Does the User Account Management audit category include Credentials were read action?
    A1: I suggest you can try to read Credentials in Credential Manager on Host 1 and then check if there is event ID 5379.

    2) If it does include - why does Host1 not generate events 5379 providing it has exactly the same auditing configuration as Host2 (as I've already illustrated above the "main" User Account Management category is not defined on Host1)?
    A2: The same suggestion as A1.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2022-10-19T06:38:13.47+00:00

    Hello MikhailFirsov-1277,

    Thank you for posting in our Q&A forum.

    Here are the answers for your references:

    Based on the information above, I think host1 is in one domain and host2 is in one workgroup.

    Q1: What makes these events 5379 appear in the log if there's no single audit policy enabled on Host2?
    A1: You can check whether "User Account Manager category" is enabled under advanced audit policy on host2.
    251780-aa4.png

    If "User Account Manager category" is not configured under advanced audit policy on host2.

    I can see the default setting is "Success" for "User Account Manager category" as below.

    251848-aa2.png

    251881-aa3.png

    Q2: Why this does not happen on Host1?
    A2: I think maybe there are no following changes on host1. So, it does not generate 5379 events.

    Here are the explain on the audit policy Properties.

    This policy setting allows you to audit changes to user accounts. Events include the following:
    A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked.
    A user account’s password is set or changed.
    A security identifier (SID) is added to the SID History of a user account.
    The Directory Services Restore Mode password is configured.
    Permissions on administrative user accounts are changed.
    Credential Manager credentials are backed up or restored.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Mikhail Firsov 1,876 Reputation points
    2022-10-19T09:56:37.877+00:00

    Hello Daisy Zhou,

    Thank you very much for your reply!

    First regarding your second picture: Advanced Audit Policy should not apply in my configuration:
    251898-01.png
    251934-01-1.png

    Even should it apply I think it won't work because event 5379 means "Credentials were read", NOT "backed up or restored":

    251926-02.png

    It leaves us with your first supposition: it is the default User Account Management = Success default value which triggers those events but the following two questions arise:

    1) Does the User Account Management audit category include Credentials were read action?

    2) If it does include - why does Host1 not generate events 5379 providing it has exactly the same auditing configuration as Host2 (as I've already illustrated above the "main" User Account Management category is not defined on Host1)?

    251900-03.png

    In fact there's only one difference between Host1 and Host2: Host1 is a domain member while Host2 is not... but I've never heard that this could ever lead to such consequences...

    Regards,
    Michael

    0 comments No comments

  3. Mikhail Firsov 1,876 Reputation points
    2022-10-21T11:03:46.127+00:00

    Hello DaisyZhou-MSFT,

    Thank you for the suggestion - I've checked and made sure Host1 is also generating 5379 events, the root problem is not the events themselves but their quantity - on Host2 there're thousands of events every ~15 minutes. Will try to find out what is causing them. Thank you very much for your help!

    Regards,
    Michael

    0 comments No comments