Share via

Question on Event ID 4662

Germán Chialli 1 Reputation point
2022-01-25T17:24:52.86+00:00

I have the following event in the Security Logs on a Windows 2016 server which is a member of a domain: 

Security-Auditing: 4662: AUDIT_SUCCESS 
An operation was performed on an object.

Subject :
Security ID: S-1-5-21-4108171211-840875644-2799876004-2655 
Account Name: john.doe [REDACTED] 
Account Domain: MYDOMAIN [REDACTED] 
Logon ID: 0xB14EA82A 

Object: 
Object Server: LSA 
Object Type: SecretObject 
Object Name: Policy\Secrets\$MACHINE.ACC 
Handle ID: 0x1ade5a90cc0 

Operation: 
Operation Type: Query 
Accesses: Query secret value 
Access Mask: 0x2 
Properties: - 

Additional Information: 
Parameter 1: - 
Parameter 2: -

I'm struggling to understand what this means. I find it odd that a regular user will query this object. I see multiple events like this for this and other servers, but they are initiated by NT AUTHORITY\LOCAL SERVICE.

I hope someone can point me to the right direction.

Thank you

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,931 Reputation points
    2022-01-26T11:49:26.613+00:00

    Hello GermnChialli

    This seems a normal operation while you have auditing mode on. Basically what is telling you is that there was a Delete operation (0x2 Mask, see link below) in the Policy\Secrets container. This seem to be a regular maintenance operation due to LSA Secrets container background operations. Since they are LSA operations, it is normal to be initiated by NT AUTHORITY\LOCAL SERVICE

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662

    Types of LSA Secrets that can be affected by this:

    Users passwords
    Internet Explorer passwords
    Service account passwords (Services on the machine that require authentication with secret)
    Cached domain password encryption key
    SQL passwords
    SYSTEM account passwords
    Account passwords for configured scheduled tasks
    Time left until the expiration of an inactivated copy of Windows

    ------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  2. Germán Chialli 1 Reputation point
    2022-01-26T16:31:14.563+00:00

    Hello, thanks for your answer.
    But in this case, the action was initiated by a human user account (john.doe). And the target object is the Computer password? Policy\Secrets\$MACHINE.ACC

    Is this still normal?

    Thanks

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.