Audit User/Device Claims
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Important: Enable the Audit Logon subcategory in order to get events from this subcategory.
Event volume:
Low on a client computer.
Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF – if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
- 4626(S): User/Device claims information.