Message

SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting.

Fields

Message

SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM.

Fields

Message

SAM failed to update the SAM database. It will try again next time you reboot the machine.

Message

SAM failed to start the TCP/IP or SPX/IPX listening thread

Fields

Message

There are two or more objects that have the same account name attribute in the SAM database. The Distinguished Name of the account is {AccountDistinguishedName}. Please contact your system administrator to have all duplicate accounts deleted; but ensure that the original account remains. For computer accounts; the newest account should be retained. In all the other cases; the older account should be kept.

Fields

Message

There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is %1. All duplicate accounts have been deleted. Check the event log for additional duplicates.

Fields

Message

The SAM database was unable to lockout the account of %1 due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Fields

Message

The SAM database attempted to delete the file %1 as it contains account information that is no longer used.  The error is in the record data. Please have an administrator delete this file.

Fields

Message

The SAM database attempted to clear the directory %1 in order to remove files that were once used by the Directory Service. The error is in record data. Please have an admin delete these files.

Fields

Message

%1 is now the primary domain controller for the domain.

Fields

Message

The account %1 cannot be converted to be a domain controller account as its object class attribute in the directory is not computer or is not derived from computer. If this is caused by an attempt to install a pre Windows 2000 domain controller in a Windows 2000 domain or later, then you should pre-create the account for the domain controller with the correct object class.

Fields

Message

The attempt to check whether group caching has been enabled in the Security Accounts Manager has failed, most likely due to lack of resources. This task has been rescheduled to run in one minute.

Fields

Message

The group caching option in the Security Accounts Manager has now been properly updated.  Group caching is enabled.

Message

The group caching option in the Security Accounts Manager has now been properly updated. Group caching is disabled.

Message

The %1 package failed to update additional credentials for user %2.  The error code is in the data of the event log message.

Fields

Message

There are two or more well known objects that have the same SID attribute in the SAM database. The Distinguished Name of the duplicate account is %1. The newest account will be kept, all older duplicate accounts have been deleted. Check the event log for additional duplicates.

Fields

Message

There are two or more objects that have the same account name attribute in the SAM database. The system has automatically renamed object %1 to a system assigned account name %2.

Fields

Message

An error occurred while creating new default accounts for this domain.  This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists.

Fields

Message

The account %1 could not be upgraded since there is an account with an equivalent name.

Fields

Message

An error occurred upgrading user %1.  This account will have to be added manually upon reboot.

Fields

Message

An error occurred trying to read a user object from the old database.

Fields

Message

An error occurred upgrading alias %1. This account will have to be added manually upon reboot.

Fields

Message

An error occurred trying to read an alias object from the old database.

Fields

Message

An error occurred upgrading group %1. This account will have to be added manually upon reboot.

Fields

Message

An error occurred trying to read a group object from the old database.

Fields

Message

An error occurred trying to add account %1 to alias %2.  This account will have to be added manually upon reboot.

Fields

Message

The account with the sid %1 could not be added to group %2.

Fields

Message

An error occurred trying to add account %1 to group %2.  This account will have to be added manually upon reboot.

Fields

Message

The account with the rid %1 could not be added to group %2.

Fields

Message

A fatal error occurred trying to transfer the SAM account database into the directory service. A possible reason is the SAM account database is corrupt.

Fields

Message

Setting the administrator's password to the string you specified failed. Upon reboot the password will be blank; please reset once logged on.

Message

An error occurred trying to upgrade a SAM user's User_Parameters attribute. The following Notification Package DLL might be the possible offender: %1. Check the record data of this event for the NT error code.

Fields

Message

An error occured trying to set User Parameters attribute for this user This operation is failed. Check the record data of this event for the NT error code.

Fields

Message

An error occured trying to upgrade the following SAM User Object - %1. We will try to continue upgrading this user. But it might contain inconsistent data. Check the record data of this event for the NT error code.

Fields

Message

An error occurred when trying to add the account %1 to the group %2. The problem, "%3", occurred when trying to open the group. Please add the account manually.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16401
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:31.641248+00:00'
  event_record_id: 628
  correlation: {}
  execution:
    process_id: 648
    thread_id: 652
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_MEMBERSHIP_SETUP_ERROR_NO_GROUP
  AccountName: INTERNET USER
  GroupName: IIS_IUSRS
  ErrorMessage: "The specified local group does not exist.\r\n"
  Binary: '60050000'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

An error occurred when trying to add the account %1 to the group %2. The problem, "%3", occurred when trying to add the account to the group.  Please add the account manually.

Fields

Message

The error "%2" occurred when trying to create the well known account %1. Please contact PSS to recover.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16403
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:31.644632+00:00'
  event_record_id: 638
  correlation: {}
  execution:
    process_id: 648
    thread_id: 652
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_USER_SETUP_ERROR
  AccountName: WDAGUtilityAccount
  ErrorMessage: "The specified network password is not correct.\r\n"
  Binary: '56000000'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Security Accounts Manager failed to add the Enterprise Admins group to the local Administrators alias. To ensure proper functioning of the domain; please add the account manually.

Message

During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up.

Fields

Message

The Security Account Database detected that the well known account %1 does not exist. The account has been recreated.  Please reset the password for the account.

Fields

Message

The Security Account Database detected that the well known group or local group %1 does not exist. The group has been recreated.

Fields

Message

Domain operation mode has been changed to Native Mode. The change cannot be reversed.

Message

Active Directory Domain Services failed to add a security principal to well known security principals container. Please have an administrator add this security principal if needed. Security principal name: %1

Fields

Message

Active Directory Domain Services failed to add all of the new security principals to well known security principals container. Please have an administrator add these security principals if needed.

Fields

Message

Active Directory Domain Services failed to rename a security principal in well known security principals container. Please have an administrator rename this security principal if needed. Security principal name: %1

Fields

Message

Active Directory Domain Services failed to rename some of the security principals in well known security principals container. Please have an administrator rename these security principals if needed.

Fields

Message

An error occurred when trying to remove the account %1 from the group %2. The problem, "%3", occurred when trying to remove the account from the group.  Please remove the member manually.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16413
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:31.656794+00:00'
  event_record_id: 639
  correlation: {}
  execution:
    process_id: 648
    thread_id: 652
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_MEMBERSHIP_REMOVAL_SETUP_ERROR
  AccountName: Network Service
  GroupName: Performance Log Users
  ErrorString: "The system cannot find the file specified.\r\n"
  Binary: '02000000'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The account-identifier allocator finished initializing. The allocator was initialized with the following identifier values: {MinimumDomainRID} {MaximumDomainRID} {RIDPoolSize} {MinimumAvailableRID} {MaximumAvailableRID} {MinimumAllocatedRID} {MaximumAllocatedRID} {CurrentRIDValue}. Check the record data of this event for the initialization status. Zero indicates successful initialization; otherwise the record data contains the NT error code.

Fields

Message

The account-identifier pool for this domain controller could not be updated. A possible reason for this is that the domain controller may be too busy with other update operations. Subsequent account creations will attempt to update the ID pool until successful.

Message

The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.

Fields

Message

An initial account-identifier pool has not yet been allocated to this domain controller. A possible reason for this is that the domain controller has been unable to contact the master domain controller, possibly due to connectivity or network problems. Account creation will fail on this domain controller until the pool is obtained.

Fields

Message

The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.

Fields

Message

The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

Fields

Message

The computed account identifier is invalid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool.

Fields

Message

The domain controller is starting a request for a new account-identifier pool.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16647
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:41.496467+00:00'
  event_record_id: 696
  correlation: {}
  execution:
    process_id: 648
    thread_id: 856
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_REQUESTING_NEW_RID_POOL
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The request for a new account-identifier pool has completed successfully.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16648
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:41.498371+00:00'
  event_record_id: 697
  correlation: {}
  execution:
    process_id: 648
    thread_id: 856
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_RID_REQUEST_STATUS_SUCCESS
  Binary: '00000000'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The account-identifier-manager object creation completed. If the record data for this event has the value zero, the manager object was created. Otherwise, the record data will contain the NT error code indicating the failure. The failure to create the object may be due to low system resources, insufficient memory, or disk space.

Fields

Message

The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  The initialization will be retried until it succeeds; until that time; account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

Message

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is 
 " %1 "

Fields

Message

The domain controller is booting to directory services restore mode.

Message

A pool size for account-identifiers (RIDs) that was configured by an Administrator is greater than the supported maximum. The maximum value of %1 will be used when the domain controller is the RID master. 
See http://go.microsoft.com/fwlink/?LinkId=225963 for more information.

Fields

Message

A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:
1. A domain controller is restored from backup. 
2. A domain controller running on a virtual machine is restored from snapshot. 
3. An administrator has manually invalidated the pool. 
See http://go.microsoft.com/fwlink/?LinkId=226247 for more information.

Message

The global maximum for account-identifiers (RIDs) has been increased to %1. 
 See http://go.microsoft.com/fwlink/?LinkId=233329 for more information including important operating system interoperability requirements.

Fields

Message

Action required! An account-identifier (RID) pool was allocated to this domain controller. The pool value indicates this domain has consumed a considerable portion of the total available account-identifiers. 

A protection mechanism will be activated when the domain reaches the following threshold of total available account-identifiers remaining: %1.  The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier allocation on the RID master domain controller. 

See http://go.microsoft.com/fwlink/?LinkId=228610 for more information.

Fields

Message

Action required! This domain has consumed a considerable portion of the total available account-identifiers (RIDs). A protection mechanism has been activated because the total available account-identifiers remaining is approximately: %1. 

The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain.  The mechanism will remain active until the Administrator manually re-enables account-identifier (RID) allocation on the RID master domain controller. 

It is extremely important that certain diagnostics be performed prior to re-enabling account creation to ensure this domain is not consuming account-identifiers at an abnormally high rate. Any issues identified should be resolved prior to re-enabling account creation. 

Failure to diagnose and fix any underlying issue causing an abnormally high rate of account-identifier consumption can lead to account-identifier (RID) pool exhaustion in the domain after which account creation will be permanently disabled in this domain. 

See http://go.microsoft.com/fwlink/?LinkId=228610 for more information.

Fields

Message

This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). The number of remaining account-identifiers is approximately: %1. 

Account-identifiers are used as accounts are created, when they are exhausted no new accounts may be created in the domain. 

See http://go.microsoft.com/fwlink/?LinkId=228745 for more information.

Fields

Message

Failed to secure the machine account %1.  Have an administrator remove the builtin\account operators full control Access Control Entry from the security descriptor on this object.

Fields

Message

Failed to secure the machine account %1.  This operation will be retried. Have an administrator verify the builtin\account operators full control Access Control Entry was removed from the security descriptor on this object.

Fields

Message

Secured the machine account %1.  The builtin\account operators full control Access Control Entry was removed from the security descriptor on this object.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16937
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:14:31.637430+00:00'
  event_record_id: 624
  correlation: {}
  execution:
    process_id: 648
    thread_id: 652
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_MACHINE_ACCOUNT_SECURE
  ComputerName: ''
  Binary: '00000000'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The certificate that is used for authentication does not have an issuance policy descriptor corresponding to OID %1 in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is %2.

Fields

Message

The certificate issuance policy that is represented by OID %2 does not have a link to a security identifier (SID), or this link cannot be read. The link is represented by the attribute msDS-OIDToGroupLink on the msPKI-Enterprise-Oid object that represents the issuance policy. This certificate will not be associated with a corresponding SID, and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy.

Fields

Message

Multiple certificate issuance policy descriptors were found in the Active Directory database. The attribute msPKI-Cert-Template-OID of these descriptors contains string %1.  This attribute should be able to uniquely identify an issuance policy descriptor; you should resolve this conflict. The issuance policies that are affected will not be associated with security identifiers (SIDs), and users who are authenticating using certificates that are issued by the corresponding policy may be denied access to some resources.

Fields

Message

The certificate issuance policy descriptor %2 is linked through its attribute msDS-OIDToGroupLink to a group that is not a security group, has members, or is not universal. The error is %6.
An issuance policy should be linked to a security identifier (SID) of a group that is security enabled, does not have members, and is universal. Users who are authenticating using certificates that are issued according to this policy may be denied access to some resources. The distinguished name (also known as DN) of the group that does not meet these requirements is %3.

Fields

Message

The requested modification for group %1 could not be performed. This is because this group is linked through msDS-OIDToGroupLinkBl to a certificate issuance policy descriptor. Such groups should be security enabled, they should not have any members, and they should be universal.
The requested operation was %4.
The error is %5.

Fields

Message

The certificate issuance policy descriptor %1 cannot be linked to group %2. Issuance policies can be linked through the attribute msDS-OIDToGroupLink only to universal, security-enabled groups that have an empty membership. You should ensure that this group meets these requirements.
The error is %5.

Fields

Message

The following invalid claims issued to user %1 have been dropped: %2.

Fields

Message

Claims issued to user %1 could not be validated and have been dropped. Error: %2.

Fields

Message

Claims issued to user %1 could not be validated and have been dropped. Error: %2.

Fields

Message

The password notification DLL %1 failed to load with error %4. Please verify that the notification DLL path defined in the registry, %2%3, refers to a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files.  Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898.

Fields

Message

SAM was configured to not listen on the TCP protocol.

Message

Legacy password validation mode has been enabled on this machine. If an Exchange ActiveSync policy is configured it will not be enforced for password validation requests.

Message

Remote calls to the SAM database are being restricted using the default security descriptor: %1.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16962
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:28.054783+00:00'
  event_record_id: 1666
  correlation:
    ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
  execution:
    process_id: 808
    thread_id: 812
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_RESTRICT_REMOTE_SAM_DEFAULT_SD
  'Default SD String:': O:SYG:SYD:(A;;RC;;;BA)
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Message

The registry security descriptor is malformed: %1.
Remote calls to the SAM database are being restricted using the default security descriptor: %2.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Message

A remote call to the SAM database has been denied.
Client SID: %1
Network address: %2
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Message

Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. 
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Message

Audit only mode is now disabled for remote calls to the SAM database.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Message

Audit only mode is currently enabled for remote calls to the SAM database.
The following client would have been normally denied access:
Client SID: %1 from network address: %2. 
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Message

%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields

Message

An error occurred while configuring one or more well-known accounts for this domain.  This may be due to a transient error condition. The task will retry periodically until successful. For more information please see https://go.microsoft.com/fwlink/?linkid=832473.
Status: %1

Fields

Message

The domain is configured with the following minimum password length-related settings.

MinimumPasswordLength: %1

RelaxMinimumPasswordLengthLimits: %2

MinimumPasswordLengthAudit: %3

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16977
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:34.991632+00:00'
  event_record_id: 1669
  correlation:
    ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
  execution:
    process_id: 808
    thread_id: 896
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_MINPWDLEN_SETTINGS_IN_EFFECT
  MinimumPasswordLength: 0
  RelaxMinimumPasswordLengthLimits: 0
  MinimumPasswordLengthAudit: -1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The following account has been configured with a password whose length is shorter than the current MinimumPasswordLengthAudit setting.

AccountName: %1

MinimumPasswordLength: %2

MinimumPasswordLengthAudit: %3

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields

Message

The domain is incorrectly configured with a MinimumPasswordLength setting that is greater than 14 while RelaxMinimumPasswordLengthLimits is either undefined or disabled.

NOTE: until this is corrected, the domain will enforce a smaller MinimumPasswordLength setting of 14.

Currently configured MinimumPasswordLength value: %1

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields

Message

The security account manager has detected the use of a ROCA-vulnerable Windows Hello for Business key during authentication by the following account. The policy is currently configured for audit so the authentication was allowed to proceed.

Account DN: %1

Account SID: %2

KeyHash: %3

For more information see https://go.microsoft.com/fwlink/?linkid=2116430.

Fields

Message

The security account manager has detected and blocked the use of a ROCA-vulnerable Windows Hello for Business key during authentication by the following account.

Account DN: %1

Account SID: %2

KeyHash: %3

For more information see https://go.microsoft.com/fwlink/?linkid=2116430.

Fields

Message

The security account manager is now logging verbose events for remote clients that call legacy password change or set RPC methods. This setting may cause large number of messages and should only be used for a short period time to diagnose problems.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Message

The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields

Example Event

system:
  provider: Microsoft-Windows-Directory-Services-SAM
  guid: 0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE
  event_source_name: ''
  event_id: 16983
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:28.084211+00:00'
  event_record_id: 1668
  correlation:
    ActivityID: F590C418-1079-0001-5BC5-90F57910DA01
  execution:
    process_id: 808
    thread_id: 812
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: SAMMSG_AUDIT_LEGACY_PWD_RPC_METHODS_OFF
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The security account manager detected %1 legacy password change or set RPC method calls in the past %2 minutes.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields

Message

The security account manager detected the use of a legacy password change or set RPC method from a network client.
Consider upgrading the client operating system or application to use the latest and more secure version of this method.

Details:

RPC Method: %1
Client Network Address: %4
Client SID: %3
Username: %2

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields

Message

The security account manager has detected one or more duplicated names for a local account. This inconsistency was remediated by keeping one account name and deleting the remaining names.

RID=%1(%2)

Retained account name: %3

Deleted account name(s): %4

For more information see https://go.microsoft.com/fwlink/?linkid=2134956.

Fields

Message

The security account manager has detected one or more duplicated names for a local account. This inconsistency may cause application failures and\or system instability. No changes were made since the policy is in detect-only mode.

Details:

RID=%1(%2)

Duplicate account names: %3

If the policy had been set to repair mode, the following account name would have been retained and all others deleted:

Account name to retain: %4

For more information see https://go.microsoft.com/fwlink/?linkid=2134956.

Fields

Message

The security account manager encountered one or more fatal errors on startup which will not allow the machine to start.

Service startup error status:%1

More details may be found in the event data.

For more information see https://go.microsoft.com/fwlink/?linkid=2157228.

Fields

Message

The security account manager encountered one or more non-fatal errors on startup.

More details may be found in the event data.

For more information see https://go.microsoft.com/fwlink/?linkid=2157228.

Fields

Message

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Details:

Account name: %1
Account objectClass: %2
userAccountControl: %3
Caller address: %4
Caller SID: %5

For more information see https://go.microsoft.com/fwlink/?linkid=2173873.

Fields

Message

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

Attempted sAMAccountName: %1
Recommended sAMAccountName: %1$

For more information see https://go.microsoft.com/fwlink/?linkid=2173873.

Fields

Message

The security account manager is now configuring the local password and lockout policies in accordance with regional policy.

Message

The security account manager successfully initialized the Local Administrator Password Solution (LAPS) extension dll.

Message

The security account manager failed to initialize the Local Administrator Password Solution (LAPS) extension dll.

Status:%1

Fields

Message

The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join.

SDDL Value: %1.

This allow list is configured through group policy in Active Directory.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields

Message

The security descriptor that contains the computer account re-use allow list being used to validate client requests during domain join is malformed.

SDDL Value: %1.

This allow list is configured through group policy in Active Directory.To correct this problem an administrator will need to update the policy and set this value to a valid security descriptor or disable the policy.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields

Message

The security account manager found a computer account that appears to be orphaned and does not have an existing owner.

Computer Account: %1
Computer Account Owner: %2

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields

Message

The security account manager rejected a client request to re-use a computer account during domain join.
The computer account and the client identity did not meet the required security validation checks.

Client Account: %3
Computer Account: %1
Computer Account Owner: %2

Check the record data of this event for the NT Error code.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields