Windows Security Log Event ID 4662

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
 • Subcategory
Directory Service
 • Directory Service Access
Type Success
Corresponding events
in Windows 2003
and before
Discussions on Event ID 4662
4662 events for DNS issues
Security log filling up with 4662 events in Windows Server 2008

4662: An operation was performed on an object

On this page

Active Directory logs this event when a user accesses an AD object. 

Of course the object's audit policy must be enabled for the permissions requested and the user requesting it or a group to which that user belongs.

For tracking property level changes to AD objects I recommend using Directory Service Change events (5136...) instead of this event because 5136, etc provide much better information. 

On the other hand this is the only event that reports accesses defined for auditing that do not qualify as property changes. 

For instance changing the permissions on an OU such as for delegating administrative authority requires the WRITE_DAC permission which would get logged by this event.

Of course I don't recommend auditing read only accesses on AD objects since the value is questionable and would typically generate many, many events.  So on the whole I regard this event as noise and recommend disabling the "Directory Service Access" subcategory in your audit policy on domain controllers.

Free Security Log Resources by Randy

Description Fields in 4662


The user and logon session that performed the action. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 


This is the object upon whom the action was attempted.   

  • Object Server: always "DS"
  • Object Type: is the objectClass for the object as defined in the AD schema such as: user, group, groupPolicyContainer or organizationalUnit
  • Object Name: The distinguished name of the object being accessed
  • Handle ID: alwas 0x0 


  • Operation Type: Object Access
  • Accesses: "Write Property" or other AD permission used on this object
  • Access Mask: bitwise represenation of Accesses:
  • Properties: The GUIDs of the properties upon which each permission was excercised.

Additional Information:

  • Parameter 1: always -
  • Parameter 2: always blank


Supercharger Free Edition


Examples of 4662

An operation was performed on an object.

Subject :
   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x27a79

   Object Server:  DS
   Object Type:  domainDNS
   Object Name:  DC=acme,DC=local
   Handle ID:  0x0

   Operation Type:  Object Access
   Accesses:  WRITE_DAC

   Access Mask:  0x40000
   Properties:  WRITE_DAC

Additional Information:
   Parameter 1:  -
   Parameter 2: 

Edit group policy object

An operation was performed on an object.

Subject :

   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x30999

   Object Server:  DS
   Object Type:  groupPolicyContainer
   Object Name:  CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=acme,DC=com
   Handle ID:  0x0

   Operation Type:  Object Access
   Accesses:  Write Property
   Access Mask:  0x20
   Properties:  Write Property

Additional Information:
   Parameter 1:  -
   Parameter 2:

Keep me up-to-date on the Windows Security Log.
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources