WinSecWiki > Security Settings > Advanced Audit Policies > Object Access > SAM

Audit SAM

This category allows you to track access to objects in the SAM (Security Account Manager) where local users and groups are stored on non-domain controller systems. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4658	The handle to an object was closed
4660	An object was deleted
4661	A handle to an object was requested
4663	An attempt was made to access an object

Upcoming Webinars

Live, Hands-on Deep-Dive into LLM Hacking: Prompt Injection, Model Context Protocol and Skills
AD Certificate Services: A Massive Chunk of Windows Security Functionality Finally Gets the Security Research It Deserves
Linux Security: Locking Down Admin Access with SSH and Sudo
Understanding Broken Object Level Authorization: The Quiet Access Control Failure Undermining Today’s Apps

Additional Resources

Object Access

•	Application Generated
•	Central Access Policy Staging
•	Certification Services
•	Detailed File Share
•	File Share
•	File System
•	Filtering Platform Connection
•	Filtering Platform Packet Drop
•	Handle Manipulation
•	Kernal Object
•	Other Object Access Events
•	Registry
•	Removable Storage
•	SAM

User name:
Password:
	/ Forgot?
	Register

January 2026 Patch Tuesday	"Patch Tuesday - Starting 2026 with a Bang; 3 Zero Days " - sponsored by LOGbinder and Supercharger

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2026 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.