Event ID: 4626User / Device claims information
User / Device claims information. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %9 New Logon: Security ID: %5 Account Name: %6 Account Domain: %7 Logon ID: %8 Event in sequence: %10 of %11 User Claims: %12 Device Claims: %13 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
This event generates for new account logons and contains user/device claims which were associated with a new logon session.
This event does not generate if the user/device doesn’t have claims.
For computer account logons you will also see device claims listed in the “Device Claims” field.
It is recommended to enable auditing for all associated categories on domain controllers, servers and workstations.
|Security ID||SubjectUserSid||%1||Any||NULL SID|
|Logon Type||LogonType||%9||Any||View Codes|
|Event in sequence||EventIdx||%10||Any||1|
|Events in sequence||EventCountTotal||%11||Any||1|
|User Claims||UserClaims||%12||Any||ad://ext/cn:88d2b96fdb2b4c49 <String> : "UserJohn"|
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User / Device Claims"
LEFT/RIGHT arrow keys for navigationBack to List