Audit PNP Activity
Audit PNP Activity determines when Plug and Play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Event volume: Varies, depending on how the computer is used. Typically Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
6416(S): A new external device was recognized by the System
6419(S): A request was made to disable a device
6420(S): A device was disabled.
6421(S): A request was made to enable a device.
6422(S): A device was enabled.
6423(S): The installation of this device is forbidden by system policy.
6424(S): The installation of this device was allowed, after having previously been forbidden by policy.