Windows Security Log Event ID 4662
Operating Systems Windows Vista
Windows Server 2008
Category
 • Subcategory
Directory Service
 • Directory Service Access
Type Success
Corresponding events
in Windows 2003
and before
566  
Discussions on Event ID 4662
4662 events for DNS issues
Security log filling up with 4662 events in Windows Server 2008

4662: An operation was performed on an object

On this page

Active Directory logs this event when a user accesses an AD object. 

Of course the object's audit policy must be enabled for the permissions requested and the user requesting it or a group to which that user belongs.

For tracking property level changes to AD objects I recommend using Directory Service Change events (5136...) instead of this event because 5136, etc provide much better information. 

On the other hand this is the only event that reports accesses defined for auditing that do not qualify as property changes. 

For instance changing the permissions on an OU such as for delegating administrative authority requires the WRITE_DAC permission which would get logged by this event.

Of course I don't recommend auditing read only accesses on AD objects since the value is questionable and would typically generate many, many events.  So on the whole I regard this event as noise and recommend disabling the "Directory Service Access" subcategory in your audit policy on domain controllers.

Subject:

The user and logon session that performed the action. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 

Object:

This is the object upon whom the action was attempted.   

  • Object Server: always "DS"
  • Object Type: is the objectClass for the object as defined in the AD schema such as: user, group, groupPolicyContainer or organizationalUnit
  • Object Name: The distinguished name of the object being accessed
  • Handle ID: alwas 0x0 

Operation: 

  • Operation Type: Object Access
  • Accesses: "Write Property" or other AD permission used on this object
  • Access Mask: bitwise represenation of Accesses:
  • Properties: The GUIDs of the properties upon which each permission was excercised.

Additional Information:

  • Parameter 1: always -
  • Parameter 2: always blank

Top 10 Windows Security Events to Monitor

An operation was performed on an object.

Subject :
   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x27a79

Object:
   Object Server:  DS
   Object Type:  domainDNS
   Object Name:  DC=acme,DC=local
   Handle ID:  0x0

Operation:
   Operation Type:  Object Access
   Accesses:  WRITE_DAC

   Access Mask:  0x40000
   Properties:  WRITE_DAC
   {19195a5b-6da0-11d0-afd3-00c04fd930c9}

Additional Information:
   Parameter 1:  -
   Parameter 2: 


Edit group policy object

An operation was performed on an object.

Subject :

   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x30999

Object:
   Object Server:  DS
   Object Type:  groupPolicyContainer
   Object Name:  CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=acme,DC=com
   Handle ID:  0x0

Operation:
   Operation Type:  Object Access
   Accesses:  Write Property
   Access Mask:  0x20
   Properties:  Write Property
   {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
   {bf967a76-0de6-11d0-a285-00aa003049e2}
   {32ff8ecc-783f-11d2-9916-0000f87a57d4}
   {f30e3bc2-9ff0-11d1-b603-0000f80367c1}

Additional Information:
   Parameter 1:  -
   Parameter 2:

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log