Event ID 4626
User / Device claims informationUser / Device claims information. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %9 New Logon: Security ID: %5 Account Name: %6 Account Domain: %7 Logon ID: %8 Event in sequence: %10 of %11 User Claims: %12 Device Claims: %13 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
This event generates for new account logons and contains user/device claims which were associated with a new logon session.
This event does not generate if the user/device doesn’t have claims.
For computer account logons you will also see device claims listed in the “Device Claims” field.
Auditing:
Always
It is recommended to enable auditing for all associated categories on domain controllers, servers and workstations.
Volume:
Low
Medium
Microsoft Documentation
Name | Field | Insertion String | OS | Example | ||
---|---|---|---|---|---|---|
Security ID | SubjectUserSid | %1 | Any | NULL SID | ||
Account Name | SubjectUserName | %2 | Any | - | ||
Account Domain | SubjectDomainName | %3 | Any | - | ||
Logon ID | SubjectLogonId | %4 | Any | 0x0 | ||
Security ID | TargetUserSid | %5 | Any | THEDOMAIN\UserJohn | ||
Account Name | TargetUserName | %6 | Any | UserJohn | ||
Account Domain | TargetDomainName | %7 | Any | THEDOMAIN | ||
Logon ID | TargetLogonId | %8 | Any | 0x3565 | ||
Logon Type | LogonType | %9 | Any | View Codes | ||
Event in sequence | EventIdx | %10 | Any | 1 | ||
Events in sequence | EventCountTotal | %11 | Any | 1 | ||
User Claims | UserClaims | %12 | Any | ad://ext/cn:88d2b96fdb2b4c49 <String> : "UserJohn" | ||
Device Claims | DeviceClaims | %13 | Any | - |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User / Device Claims"
Operating Systems:
Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022Tags:
Audit SuccessLEFT/RIGHT arrow keys for navigation
Back to List