Windows Security Log Event ID 4662
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Directory Service
• Directory Service Access |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
566
|
4662: An operation was performed on an object
On this page
Active Directory logs this event when a user accesses an AD object.
Of course the object's audit policy must be enabled for the permissions requested and the user requesting it or a group to which that user belongs.
For tracking property level changes to AD objects I recommend using Directory Service Change events (5136...) instead of this event because 5136, etc provide much better information.
On the other hand this is the only event that reports accesses defined for auditing that do not qualify as property changes.
For instance changing the permissions on an OU such as for delegating administrative authority requires the WRITE_DAC permission which would get logged by this event.
Of course I don't recommend auditing read only accesses on AD objects since the value is questionable and would typically generate many, many events. So on the whole I regard this event as noise and recommend disabling the "Directory Service Access" subcategory in your audit policy on domain controllers.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID: is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Object:
This is the object upon whom the action was attempted.
- Object Server: always "DS"
- Object Type: is the objectClass for the object as defined in the AD schema such as: user, group, groupPolicyContainer or organizationalUnit
- Object Name: The distinguished name of the object being accessed
- Handle ID: alwas 0x0
Operation:
- Operation Type: Object Access
- Accesses: "Write Property" or other AD permission used on this object
- Access Mask: bitwise represenation of Accesses:
- Properties: The GUIDs of the properties upon which each permission was excercised.
Additional Information:
- Parameter 1: always -
- Parameter 2: always blank
Supercharger Free Edition
Your entire Windows Event Collection environment on a single pane of glass.
Free.
An operation was performed on an object.
Subject :
Security ID: ACME\Administrator
Account Name: Administrator
Account Domain: ACME
Logon ID: 0x27a79
Object:
Object Server: DS
Object Type: domainDNS
Object Name: DC=acme,DC=local
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: WRITE_DAC
Access Mask: 0x40000
Properties: WRITE_DAC
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
Additional Information:
Parameter 1: -
Parameter 2:
Edit group policy object
An operation was performed on an object.
Subject :
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Object:
Object Server: DS
Object Type: groupPolicyContainer
Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=acme,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Write Property
Access Mask: 0x20
Properties: Write Property
{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
{bf967a76-0de6-11d0-a285-00aa003049e2}
{32ff8ecc-783f-11d2-9916-0000f87a57d4}
{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Additional Information:
Parameter 1: -
Parameter 2:
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection