Why is my security log filled with 4662 events?

Jim 301 Reputation points
2024-11-17T22:23:17.0966667+00:00

Server 2022 DC/File server

My security log is generating 4662 errors at the rate of 50 or more every minute. This is on a weekend with nobody in the office or on the VPN. The XML view looks like this:

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

  <EventID>4662</EventID>

  <Version>0</Version>

  <Level>0</Level>

  <Task>14080</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8020000000000000</Keywords>

  <TimeCreated SystemTime="2024-11-17T21:28:01.4080323Z" />

  <EventRecordID>40877151</EventRecordID>

  <Correlation />

  <Execution ProcessID="840" ThreadID="1004" />

  <Channel>Security</Channel>

  <Computer>Server.domain.local</Computer>

  <Security />

  </System>

  • <EventData>

  <Data Name="SubjectUserSid">S-1-5-18</Data>

  <Data Name="SubjectUserName">ServerName$</Data>

  <Data Name="SubjectDomainName">Domain</Data>

  <Data Name="SubjectLogonId">0x4503056</Data>

  <Data Name="ObjectServer">DS</Data>

  <Data Name="ObjectType">%{f30e3bc2-9ff0-11d1-b603-0000f80367c1}</Data>

  <Data Name="ObjectName">%{df241dfd-1334-40bd-b62a-04e75a6c1dd9}</Data>

  <Data Name="OperationType">Object Access</Data>

  <Data Name="HandleId">0x0</Data>

  <Data Name="AccessList">%%1538</Data>

  <Data Name="AccessMask">0x20000</Data>

  <Data Name="Properties">%%1538 {f30e3bc2-9ff0-11d1-b603-0000f80367c1}</Data>

  <Data Name="AdditionalInfo">-</Data>

  <Data Name="AdditionalInfo2" />

  </EventData>

  </Event>

This essentially makes the log useless. Can I turn these information messages off or at least reduce them?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,365 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Daisy Zhou 26,401 Reputation points Microsoft Vendor
    2024-11-19T07:43:45.57+00:00

    Hello Jim,

    Thank you for posting in Q&A forum.

    Event ID 4662 is logged when an operation is performed on an object within Active Directory. This event is typically generated when a user creates, modifies, or deletes objects in the Active Directory.

    This event can generate a high volume of logs, especially on domain controllers, as it tracks various operations on AD objects.

    Frequent logging of Event ID 4662 can be due to normal AD operations, third-party applications interacting with AD, or even corrupted system files.

    If you want to turn off or reduce them, you could try these:

    1. Adjust Audit Policies:

    • Open the Group Policy Management Console (GPMC).

    • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    • Adjust the settings under Directory Service Access to reduce the number of logged events.

    1. Filter Event Logs:

    • Create custom views in Event Viewer to filter out less critical events:

    • Open Event Viewer and navigate to the Security log.

    • Click on Create Custom View in the Actions pane.

    • Set the filter criteria to exclude Event ID 4662.

    1. Disable Specific Auditing:

    • If certain operations are generating excessive logs, you can disable auditing for those specific operations:

    • Open the Active Directory Users and Computers console.

    • Right-click the domain or organizational unit (OU) and select Properties.

    • Go to the Security tab and click Advanced.

    • In the Advanced Security Settings window, go to the Auditing tab and adjust the entries to reduce the scope of auditing.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Darrell Gorter 2,126 Reputation points
    2024-11-19T23:24:07.7933333+00:00

    Hello,

    check group policy for auditing to see if this was enabled

    https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-enabling-advanced-security-audit-policy-via-directory-services-acce/282452

    • Audit Directory Service Access: This security policy setting determines if the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed. These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems. The following events will be appear in logs when enabled:
    Event ID Event message
    Event ID Event message
    4662 An operation was performed on an object.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.