Event ID: 4626

User / Device claims information

User / Device claims information.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Logon Type:             %9

New Logon:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Event in sequence:      %10 of %11

User Claims:            %12

Device Claims:          %13

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.

This event generates for new account logons and contains user/device claims which were associated with a new logon session.

This event does not generate if the user/device doesn’t have claims.

For computer account logons you will also see device claims listed in the “Device Claims” field.

Auditing:     Always

It is recommended to enable auditing for all associated categories on domain controllers, servers and workstations.

Volume:     Low Medium

Microsoft Documentation

Event ID - 4626

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any NULL SID
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x0
Security ID TargetUserSid %5 Any THEDOMAIN\UserJohn
Account Name TargetUserName %6 Any UserJohn
Account Domain TargetDomainName %7 Any THEDOMAIN
Logon ID TargetLogonId %8 Any 0x3565
Logon Type LogonType %9 Any View Codes
Event in sequence EventIdx %10 Any 1
Events in sequence EventCountTotal %11 Any 1
User Claims UserClaims %12 Any ad://ext/cn:88d2b96fdb2b4c49 <String> : "UserJohn"
Device Claims DeviceClaims %13 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User / Device Claims"

LEFT/RIGHT arrow keys for navigation

Back to List