Event Details
User Activity->Object Access->Active Directory Object Access->Windows 2008->EventID 4661 - A handle to an object was requested - Successful
EventID 4661 - A handle to an object was requested - Successful
 Sample: 
A handle to an object was requested.
Subject :
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-500
	Account Name:		ALebovsky
	Account Domain:		LOGISTICS
	Logon ID:		0x2a88a
Object:
	Object Server:	Security Account Manager
	Object Type:	SAM_DOMAIN
	Object Name:	DC=Logistics,DC=corp
	Handle ID:	0x2dace0
Process Information:
	Process ID:	0x238
	Process Name:	C:\Windows\System32\lsass.exe
Access Request Information:
	Transaction ID:	{00000000-0000-0000-0000-000000000000}
	Accesses:	ListAccounts
			
	Access Reasons:		-
	Access Mask:	0x100
	Privileges Used for Access Check:	-
	Properties:	---
	{bf967a90-0de6-11d0-a285-00aa003049e2}
ListAccounts
		{280f369c-67c7-438e-ae98-1d46f3c6f541}
	Restricted SID Count:	0
===========================
Description template stored in adtschema.dll:
===========================
A handle to an object was requested.

Subject :
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Object:
	Object Server:	%5
	Object Type:	%6
	Object Name:	%7
	Handle ID:	%8

Process Information:
	Process ID:	%16
	Process Name:	%17

Access Request Information:
	Transaction ID:	%9
	Accesses:	%10
	Access Reasons:		%11
	Access Mask:	%12
	Privileges Used for Access Check:	%13
	Properties:	%14
	Restricted SID Count:	%15
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 8.1 (2012 R2)
Windows 10 (2016)
Category DS Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Directory Service Access
EventId 4661
Type Success Audit
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Account Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "AD Object Access Requested" AD Object Access Requested
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Account Domain LOGISTICS
WhereDomain -
Result Successful or Failed "Successful" Successful
Object Name Object Name DC=Logistics,DC=corp
Object Type Object Type SAM_DOMAIN
Whom InsertionString7 DC=Logistics,DC=corp
Comments
You must be logged in to comment