Message #

SAM failed to write changes to the database. This is most likely due to a memory or disk-space shortage. The SAM database will be restored to an earlier state. Recent changes will be lost. Check the disk-space available and maximum pagefile size setting.

Fields #

Description

SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM.

Message #

SAM failed to restore the database to an earlier state. SAM has shutdown. You must reboot the machine to re-enable SAM.

Fields #

Description

SAM failed to update the SAM database. It will try again next time you reboot the machine.

Message #

SAM failed to update the SAM database. It will try again next time you reboot the machine.

Description

SAM failed to start the TCP/IP or SPX/IPX listening thread.

Message #

SAM failed to start the TCP/IP or SPX/IPX listening thread

Fields #

Message #

There are two or more objects that have the same account name attribute in the SAM database. The Distinguished Name of the account is {AccountDistinguishedName}. Please contact your system administrator to have all duplicate accounts deleted; but ensure that the original account remains. For computer accounts; the newest account should be retained. In all the other cases; the older account should be kept.

Fields #

Message #

There are two or more objects that have the same SID attribute in the SAM database. The Distinguished Name of the account is %1. All duplicate accounts have been deleted. Check the event log for additional duplicates.

Fields #

Message #

The SAM database was unable to lockout the account of %1 due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Fields #

Description

The SAM database attempted to delete the file FilePath as it contains account information that is no longer used. The error is in the record data. Please have an administrator delete this file.

Message #

The SAM database attempted to delete the file %1 as it contains account information that is no longer used.  The error is in the record data. Please have an administrator delete this file.

Fields #

Description

The SAM database attempted to clear the directory DirectoryPath in order to remove files that were once used by the Directory Service. The error is in record data. Please have an admin delete these files.

Message #

The SAM database attempted to clear the directory %1 in order to remove files that were once used by the Directory Service. The error is in record data. Please have an admin delete these files.

Fields #

Description

ComputerName is now the primary domain controller for the domain.

Message #

%1 is now the primary domain controller for the domain.

Fields #

Message #

The account %1 cannot be converted to be a domain controller account as its object class attribute in the directory is not computer or is not derived from computer. If this is caused by an attempt to install a pre Windows 2000 domain controller in a Windows 2000 domain or later, then you should pre-create the account for the domain controller with the correct object class.

Fields #

Description

The attempt to check whether group caching has been enabled in the Security Accounts Manager has failed, most likely due to lack of resources. This task has been rescheduled to run in one minute.

Message #

The attempt to check whether group caching has been enabled in the Security Accounts Manager has failed, most likely due to lack of resources. This task has been rescheduled to run in one minute.

Fields #

Description

The group caching option in the Security Accounts Manager has now been properly updated. Group caching is enabled.

Message #

The group caching option in the Security Accounts Manager has now been properly updated.  Group caching is enabled.

Description

The group caching option in the Security Accounts Manager has now been properly updated. Group caching is disabled.

Message #

The group caching option in the Security Accounts Manager has now been properly updated. Group caching is disabled.

Description

The SecurityPackage package failed to update additional credentials for user UserName. The error code is in the data of the event log message.

Message #

The %1 package failed to update additional credentials for user %2.  The error code is in the data of the event log message.

Fields #

Message #

There are two or more well known objects that have the same SID attribute in the SAM database. The Distinguished Name of the duplicate account is %1. The newest account will be kept, all older duplicate accounts have been deleted. Check the event log for additional duplicates.

Fields #

Description

There are two or more objects that have the same account name attribute in the SAM database. The system has automatically renamed object AccountDistinguishedName to a system assigned account name SystemAssignedAccountName.

Message #

There are two or more objects that have the same account name attribute in the SAM database. The system has automatically renamed object %1 to a system assigned account name %2.

Fields #

Message #

An error occurred while creating new default accounts for this domain.  This maybe due to a transient error condition. The task will retry periodically until success and will log this message again in a week if the problem persists.

Fields #

Description

The account AccountName could not be upgraded since there is an account with an equivalent name.

Message #

The account %1 could not be upgraded since there is an account with an equivalent name.

Fields #

Description

An error occurred upgrading user UserName. This account will have to be added manually upon reboot.

Message #

An error occurred upgrading user %1.  This account will have to be added manually upon reboot.

Fields #

Description

An error occurred trying to read a user object from the old database.

Message #

An error occurred trying to read a user object from the old database.

Fields #

Description

An error occurred upgrading alias GroupName. This account will have to be added manually upon reboot.

Message #

An error occurred upgrading alias %1. This account will have to be added manually upon reboot.

Fields #

Description

An error occurred trying to read an alias object from the old database.

Message #

An error occurred trying to read an alias object from the old database.

Fields #

Description

An error occurred upgrading group GroupName. This account will have to be added manually upon reboot.

Message #

An error occurred upgrading group %1. This account will have to be added manually upon reboot.

Fields #

Description

An error occurred trying to read a group object from the old database.

Message #

An error occurred trying to read a group object from the old database.

Fields #

Description

An error occurred trying to add account AccountDistinguishedName to alias GroupName. This account will have to be added manually upon reboot.

Message #

An error occurred trying to add account %1 to alias %2.  This account will have to be added manually upon reboot.

Fields #

Description

The account with the sid AccountSID could not be added to group AccountDistinguishedName.

Message #

The account with the sid %1 could not be added to group %2.

Fields #

Description

An error occurred trying to add account AccountDistinguishedName to group GroupName. This account will have to be added manually upon reboot.

Message #

An error occurred trying to add account %1 to group %2.  This account will have to be added manually upon reboot.

Fields #

Description

The account with the rid AccountRID could not be added to group GroupName.

Message #

The account with the rid %1 could not be added to group %2.

Fields #

Description

A fatal error occurred trying to transfer the SAM account database into the directory service. A possible reason is the SAM account database is corrupt.

Message #

A fatal error occurred trying to transfer the SAM account database into the directory service. A possible reason is the SAM account database is corrupt.

Fields #

Description

Setting the administrator's password to the string you specified failed. Upon reboot the password will be blank; please reset once logged on.

Message #

Setting the administrator's password to the string you specified failed. Upon reboot the password will be blank; please reset once logged on.

Message #

An error occurred trying to upgrade a SAM user's User_Parameters attribute. The following Notification Package DLL might be the possible offender: %1. Check the record data of this event for the NT error code.

Fields #

Description

An error occured trying to set User Parameters attribute for this user This operation is failed. Check the record data of this event for the NT error code.

Message #

An error occured trying to set User Parameters attribute for this user This operation is failed. Check the record data of this event for the NT error code.

Fields #

Message #

An error occured trying to upgrade the following SAM User Object - %1. We will try to continue upgrading this user. But it might contain inconsistent data. Check the record data of this event for the NT error code.

Fields #

Description

An error occurred when trying to add the account Name to the group AccountName. The problem, "GroupName", occurred when trying to open the group. Please add the account manually.

Message #

An error occurred when trying to add the account %1 to the group %2. The problem, "%3", occurred when trying to open the group. Please add the account manually.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16401,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:31.641248+00:00",
    "event_record_id": 628,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_MEMBERSHIP_SETUP_ERROR_NO_GROUP",
    "AccountName": "INTERNET USER",
    "GroupName": "IIS_IUSRS",
    "ErrorMessage": "The specified local group does not exist.\r\n",
    "Binary": "60050000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

An error occurred when trying to add the account AccountName to the group GroupName. The problem, "ErrorMessage", occurred when trying to add the account to the group. Please add the account manually.

Message #

An error occurred when trying to add the account %1 to the group %2. The problem, "%3", occurred when trying to add the account to the group.  Please add the account manually.

Fields #

Description

The error "AccountName" occurred when trying to create the well known account Name. Please contact PSS to recover.

Message #

The error "%2" occurred when trying to create the well known account %1. Please contact PSS to recover.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16403,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:31.644632+00:00",
    "event_record_id": 638,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_USER_SETUP_ERROR",
    "AccountName": "WDAGUtilityAccount",
    "ErrorMessage": "The specified network password is not correct.\r\n",
    "Binary": "56000000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The Security Accounts Manager failed to add the Enterprise Admins group to the local Administrators alias. To ensure proper functioning of the domain; please add the account manually.

Message #

The Security Accounts Manager failed to add the Enterprise Admins group to the local Administrators alias. To ensure proper functioning of the domain; please add the account manually.

Description

During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up.

Message #

During the installation of the Directory Service, this server's machine account was deleted hence preventing this Domain Controller from starting up.

Fields #

Description

The Security Account Database detected that the well known account UserName does not exist. The account has been recreated. Please reset the password for the account.

Message #

The Security Account Database detected that the well known account %1 does not exist. The account has been recreated.  Please reset the password for the account.

Fields #

Description

The Security Account Database detected that the well known group or local group GroupName does not exist. The group has been recreated.

Message #

The Security Account Database detected that the well known group or local group %1 does not exist. The group has been recreated.

Fields #

Description

Domain operation mode has been changed to Native Mode. The change cannot be reversed.

Message #

Domain operation mode has been changed to Native Mode. The change cannot be reversed.

Message #

Active Directory Domain Services failed to add a security principal to well known security principals container. Please have an administrator add this security principal if needed. Security principal name: %1

Fields #

Description

Active Directory Domain Services failed to add all of the new security principals to well known security principals container. Please have an administrator add these security principals if needed.

Message #

Active Directory Domain Services failed to add all of the new security principals to well known security principals container. Please have an administrator add these security principals if needed.

Fields #

Message #

Active Directory Domain Services failed to rename a security principal in well known security principals container. Please have an administrator rename this security principal if needed. Security principal name: %1

Fields #

Description

Active Directory Domain Services failed to rename some of the security principals in well known security principals container. Please have an administrator rename these security principals if needed.

Message #

Active Directory Domain Services failed to rename some of the security principals in well known security principals container. Please have an administrator rename these security principals if needed.

Fields #

Description

An error occurred when trying to remove the account Name from the group AccountName. The problem, "GroupName", occurred when trying to remove the account from the group. Please remove the member manually.

Message #

An error occurred when trying to remove the account %1 from the group %2. The problem, "%3", occurred when trying to remove the account from the group.  Please remove the member manually.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16413,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:31.656794+00:00",
    "event_record_id": 639,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_MEMBERSHIP_REMOVAL_SETUP_ERROR",
    "AccountName": "Network Service",
    "GroupName": "Performance Log Users",
    "ErrorString": "The system cannot find the file specified.\r\n",
    "Binary": "02000000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

The account-identifier allocator finished initializing. The allocator was initialized with the following identifier values: {MinimumDomainRID} {MaximumDomainRID} {RIDPoolSize} {MinimumAvailableRID} {MaximumAvailableRID} {MinimumAllocatedRID} {MaximumAllocatedRID} {CurrentRIDValue}. Check the record data of this event for the initialization status. Zero indicates successful initialization; otherwise the record data contains the NT error code.

Fields #

Message #

The account-identifier pool for this domain controller could not be updated. A possible reason for this is that the domain controller may be too busy with other update operations. Subsequent account creations will attempt to update the ID pool until successful.

Message #

The account-identifier allocator was unable to assign a new identifier. The identifier pool for this domain controller may have been depleted. If this problem persists, restart the domain controller and view the initialization status of the allocator in the event log.

Fields #

Message #

An initial account-identifier pool has not yet been allocated to this domain controller. A possible reason for this is that the domain controller has been unable to contact the master domain controller, possibly due to connectivity or network problems. Account creation will fail on this domain controller until the pool is obtained.

Fields #

Description

The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.

Message #

The maximum domain account identifier value has been reached. No further account-identifier pools can be allocated to domain controllers in this domain.

Fields #

Message #

The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domain.

Fields #

Message #

The computed account identifier is invalid because it is out of the range of the current account-identifier pool belonging to this domain controller. The computed RID value is %1. Try invalidating the account identifier pool owned by this domain controller. This will make the domain controller acquire a fresh account identifier pool.

Fields #

Description

The domain controller is starting a request for a new account-identifier pool.

Message #

The domain controller is starting a request for a new account-identifier pool.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16647,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:41.496467+00:00",
    "event_record_id": 696,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 856
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_REQUESTING_NEW_RID_POOL"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The request for a new account-identifier pool has completed successfully.

Message #

The request for a new account-identifier pool has completed successfully.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16648,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:41.498371+00:00",
    "event_record_id": 697,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 856
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_RID_REQUEST_STATUS_SUCCESS",
    "Binary": "00000000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

The account-identifier-manager object creation completed. If the record data for this event has the value zero, the manager object was created. Otherwise, the record data will contain the NT error code indicating the failure. The failure to create the object may be due to low system resources, insufficient memory, or disk space.

Fields #

Message #

The account-identifier allocator failed to initialize properly.  The record data contains the NT error code that caused the failure.  The initialization will be retried until it succeeds; until that time; account creation will be denied on this Domain Controller.  Please look for other SAM event logs that may indicate the exact reason for the failure.

Description

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is.

Message #

The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is 
 " %1 "

Fields #

Description

The domain controller is booting to directory services restore mode.

Message #

The domain controller is booting to directory services restore mode.

Message #

A pool size for account-identifiers (RIDs) that was configured by an Administrator is greater than the supported maximum. The maximum value of %1 will be used when the domain controller is the RID master. 
See http://go.microsoft.com/fwlink/?LinkId=225963 for more information.

Fields #

Description

A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases.

Message #

A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:
1. A domain controller is restored from backup. 
2. A domain controller running on a virtual machine is restored from snapshot. 
3. An administrator has manually invalidated the pool. 
See http://go.microsoft.com/fwlink/?LinkId=226247 for more information.

Description

The global maximum for account-identifiers (RIDs) has been increased to NewValue.

Message #

The global maximum for account-identifiers (RIDs) has been increased to %1. 
 See http://go.microsoft.com/fwlink/?LinkId=233329 for more information including important operating system interoperability requirements.

Fields #

Message #

Action required! An account-identifier (RID) pool was allocated to this domain controller. The pool value indicates this domain has consumed a considerable portion of the total available account-identifiers. 

A protection mechanism will be activated when the domain reaches the following threshold of total available account-identifiers remaining: %1.  The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain. The mechanism will remain active until the Administrator manually re-enables account-identifier allocation on the RID master domain controller. 

See http://go.microsoft.com/fwlink/?LinkId=228610 for more information.

Fields #

Message #

Action required! This domain has consumed a considerable portion of the total available account-identifiers (RIDs). A protection mechanism has been activated because the total available account-identifiers remaining is approximately: %1. 

The protection mechanism prevents the allocation of account-identifier (RID) pools needed to allow existing DCs to create additional users, computers and groups, or promote new DCs into the domain.  The mechanism will remain active until the Administrator manually re-enables account-identifier (RID) allocation on the RID master domain controller. 

It is extremely important that certain diagnostics be performed prior to re-enabling account creation to ensure this domain is not consuming account-identifiers at an abnormally high rate. Any issues identified should be resolved prior to re-enabling account creation. 

Failure to diagnose and fix any underlying issue causing an abnormally high rate of account-identifier consumption can lead to account-identifier (RID) pool exhaustion in the domain after which account creation will be permanently disabled in this domain. 

See http://go.microsoft.com/fwlink/?LinkId=228610 for more information.

Fields #

Description

This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). The number of remaining account-identifiers is approximately: RemainingRids.

Message #

This event is a periodic update on the remaining total quantity of available account-identifiers (RIDs). The number of remaining account-identifiers is approximately: %1. 

Account-identifiers are used as accounts are created, when they are exhausted no new accounts may be created in the domain. 

See http://go.microsoft.com/fwlink/?LinkId=228745 for more information.

Fields #

Description

Failed to secure the machine account ComputerName. Have an administrator remove the builtin\account operators full control Access Control Entry from the security descriptor on this object.

Message #

Failed to secure the machine account %1.  Have an administrator remove the builtin\account operators full control Access Control Entry from the security descriptor on this object.

Fields #

Message #

Failed to secure the machine account %1.  This operation will be retried. Have an administrator verify the builtin\account operators full control Access Control Entry was removed from the security descriptor on this object.

Fields #

Description

Secured the machine account Name. The builtin\account operators full control Access Control Entry was removed from the security descriptor on this object.

Message #

Secured the machine account %1.  The builtin\account operators full control Access Control Entry was removed from the security descriptor on this object.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16937,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:14:31.637430+00:00",
    "event_record_id": 624,
    "correlation": {},
    "execution": {
      "process_id": 648,
      "thread_id": 652
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_MACHINE_ACCOUNT_SECURE",
    "ComputerName": "",
    "Binary": "00000000"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

The certificate that is used for authentication does not have an issuance policy descriptor corresponding to OID %1 in the Active Directory database. This certificate will not be associated with a corresponding security identifier (SID), and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy. The error is %2.

Fields #

Message #

The certificate issuance policy that is represented by OID %2 does not have a link to a security identifier (SID), or this link cannot be read. The link is represented by the attribute msDS-OIDToGroupLink on the msPKI-Enterprise-Oid object that represents the issuance policy. This certificate will not be associated with a corresponding SID, and the user may be denied access to some resources if you have resources whose access is restricted based on this issuance policy.

Fields #

Message #

Multiple certificate issuance policy descriptors were found in the Active Directory database. The attribute msPKI-Cert-Template-OID of these descriptors contains string %1.  This attribute should be able to uniquely identify an issuance policy descriptor; you should resolve this conflict. The issuance policies that are affected will not be associated with security identifiers (SIDs), and users who are authenticating using certificates that are issued by the corresponding policy may be denied access to some resources.

Fields #

Description

The certificate issuance policy descriptor OID Object DN is linked through its attribute msDS-OIDToGroupLink to a group that is not a security group, has members, or is not universal. The error is ErrorCode.

Message #

The certificate issuance policy descriptor %2 is linked through its attribute msDS-OIDToGroupLink to a group that is not a security group, has members, or is not universal. The error is %6.
An issuance policy should be linked to a security identifier (SID) of a group that is security enabled, does not have members, and is universal. Users who are authenticating using certificates that are issued according to this policy may be denied access to some resources. The distinguished name (also known as DN) of the group that does not meet these requirements is %3.

Fields #

Message #

The requested modification for group %1 could not be performed. This is because this group is linked through msDS-OIDToGroupLinkBl to a certificate issuance policy descriptor. Such groups should be security enabled, they should not have any members, and they should be universal.
The requested operation was %4.
The error is %5.

Fields #

Message #

The certificate issuance policy descriptor %1 cannot be linked to group %2. Issuance policies can be linked through the attribute msDS-OIDToGroupLink only to universal, security-enabled groups that have an empty membership. You should ensure that this group meets these requirements.
The error is %5.

Fields #

Description

The following invalid claims issued to user User have been dropped: DroppedClaims.

Message #

The following invalid claims issued to user %1 have been dropped: %2.

Fields #

Description

Claims issued to user User could not be validated and have been dropped. Error: Error code:.

Message #

Claims issued to user %1 could not be validated and have been dropped. Error: %2.

Fields #

Description

Claims issued to user User could not be validated and have been dropped. Error: Error code:.

Message #

Claims issued to user %1 could not be validated and have been dropped. Error: %2.

Fields #

Message #

The password notification DLL %1 failed to load with error %4. Please verify that the notification DLL path defined in the registry, %2%3, refers to a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files.  Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898.

Fields #

Description

SAM was configured to not listen on the TCP protocol.

Message #

SAM was configured to not listen on the TCP protocol.

Description

Legacy password validation mode has been enabled on this machine. If an Exchange ActiveSync policy is configured it will not be enforced for password validation requests.

Message #

Legacy password validation mode has been enabled on this machine. If an Exchange ActiveSync policy is configured it will not be enforced for password validation requests.

Description

Remote calls to the SAM database are being restricted using the default security descriptor: Name.

Message #

Remote calls to the SAM database are being restricted using the default security descriptor: %1.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16962,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:28.054783+00:00",
    "event_record_id": 1666,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 812
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_RESTRICT_REMOTE_SAM_DEFAULT_SD",
    "Default SD String:": "O:SYG:SYD:(A;;RC;;;BA)"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Remote calls to the SAM database are being restricted using the configured registry security descriptor: RegistrySDString.

Message #

Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Description

The registry security descriptor is malformed: MalformedSDString.

Message #

The registry security descriptor is malformed: %1.
Remote calls to the SAM database are being restricted using the default security descriptor: %2.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Description

A remote call to the SAM database has been denied.

Message #

A remote call to the SAM database has been denied.
Client SID: %1
Network address: %2
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Description

Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode.

Message #

Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. 
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Description

Audit only mode is now disabled for remote calls to the SAM database.

Message #

Audit only mode is now disabled for remote calls to the SAM database.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Description

Audit only mode is currently enabled for remote calls to the SAM database.

Message #

Audit only mode is currently enabled for remote calls to the SAM database.
The following client would have been normally denied access:
Client SID: %1 from network address: %2. 
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Description

Suppressed Message Count: remote calls to the SAM database have been denied in the past Throttle window: seconds throttling window.

Message #

%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.

Fields #

Message #

An error occurred while configuring one or more well-known accounts for this domain.  This may be due to a transient error condition. The task will retry periodically until successful. For more information please see https://go.microsoft.com/fwlink/?linkid=832473.
Status: %1

Fields #

Description

The domain is configured with the following minimum password length-related settings.

Message #

The domain is configured with the following minimum password length-related settings.

MinimumPasswordLength: %1

RelaxMinimumPasswordLengthLimits: %2

MinimumPasswordLengthAudit: %3

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16977,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:34.991632+00:00",
    "event_record_id": 1669,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 896
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_MINPWDLEN_SETTINGS_IN_EFFECT",
    "MinimumPasswordLength": 0,
    "RelaxMinimumPasswordLengthLimits": 0,
    "MinimumPasswordLengthAudit": -1
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The following account has been configured with a password whose length is shorter than the current MinimumPasswordLengthAudit setting.

Message #

The following account has been configured with a password whose length is shorter than the current MinimumPasswordLengthAudit setting.

AccountName: %1

MinimumPasswordLength: %2

MinimumPasswordLengthAudit: %3

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields #

Description

The domain is incorrectly configured with a MinimumPasswordLength setting that is greater than 14 while RelaxMinimumPasswordLengthLimits is either undefined or disabled.

Message #

The domain is incorrectly configured with a MinimumPasswordLength setting that is greater than 14 while RelaxMinimumPasswordLengthLimits is either undefined or disabled.

NOTE: until this is corrected, the domain will enforce a smaller MinimumPasswordLength setting of 14.

Currently configured MinimumPasswordLength value: %1

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Fields #

Message #

The security account manager has detected the use of a ROCA-vulnerable Windows Hello for Business key during authentication by the following account. The policy is currently configured for audit so the authentication was allowed to proceed.

Account DN: %1

Account SID: %2

KeyHash: %3

For more information see https://go.microsoft.com/fwlink/?linkid=2116430.

Fields #

Description

The security account manager has detected and blocked the use of a ROCA-vulnerable Windows Hello for Business key during authentication by the following account.

Message #

The security account manager has detected and blocked the use of a ROCA-vulnerable Windows Hello for Business key during authentication by the following account.

Account DN: %1

Account SID: %2

KeyHash: %3

For more information see https://go.microsoft.com/fwlink/?linkid=2116430.

Fields #

Message #

The security account manager is now logging verbose events for remote clients that call legacy password change or set RPC methods. This setting may cause large number of messages and should only be used for a short period time to diagnose problems.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Description

The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

Message #

The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Directory-Services-SAM",
    "guid": "0D4FDC09-8C27-494A-BDA0-505E4FD8ADAE",
    "event_source_name": "",
    "event_id": 16983,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:28.084211+00:00",
    "event_record_id": 1668,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 812
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "SAMMSG_AUDIT_LEGACY_PWD_RPC_METHODS_OFF"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The security account manager detected Number of RPC methods: legacy password change or set RPC method calls in the past Throttle Window: minutes.

Message #

The security account manager detected %1 legacy password change or set RPC method calls in the past %2 minutes.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields #

Description

The security account manager detected the use of a legacy password change or set RPC method from a network client.

Message #

The security account manager detected the use of a legacy password change or set RPC method from a network client.
Consider upgrading the client operating system or application to use the latest and more secure version of this method.

Details:

RPC Method: %1
Client Network Address: %4
Client SID: %3
Username: %2

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Fields #

Description

The security account manager has detected one or more duplicated names for a local account. This inconsistency was remediated by keeping one account name and deleting the remaining names.

Message #

The security account manager has detected one or more duplicated names for a local account. This inconsistency was remediated by keeping one account name and deleting the remaining names.

RID=%1(%2)

Retained account name: %3

Deleted account name(s): %4

For more information see https://go.microsoft.com/fwlink/?linkid=2134956.

Fields #

Message #

The security account manager has detected one or more duplicated names for a local account. This inconsistency may cause application failures and\or system instability. No changes were made since the policy is in detect-only mode.

Details:

RID=%1(%2)

Duplicate account names: %3

If the policy had been set to repair mode, the following account name would have been retained and all others deleted:

Account name to retain: %4

For more information see https://go.microsoft.com/fwlink/?linkid=2134956.

Fields #

Description

The security account manager encountered one or more fatal errors on startup which will not allow the machine to start.

Message #

The security account manager encountered one or more fatal errors on startup which will not allow the machine to start.

Service startup error status:%1

More details may be found in the event data.

For more information see https://go.microsoft.com/fwlink/?linkid=2157228.

Fields #

Description

The security account manager encountered one or more non-fatal errors on startup.

Message #

The security account manager encountered one or more non-fatal errors on startup.

More details may be found in the event data.

For more information see https://go.microsoft.com/fwlink/?linkid=2157228.

Fields #

Description

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Message #

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

Details:

Account name: %1
Account objectClass: %2
userAccountControl: %3
Caller address: %4
Caller SID: %5

For more information see https://go.microsoft.com/fwlink/?linkid=2173873.

Fields #

Message #

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

Attempted sAMAccountName: %1
Recommended sAMAccountName: %1$

For more information see https://go.microsoft.com/fwlink/?linkid=2173873.

Fields #

Description

The security account manager is now configuring the local password and lockout policies in accordance with regional policy.

Message #

The security account manager is now configuring the local password and lockout policies in accordance with regional policy.

Description

The security account manager successfully initialized the Local Administrator Password Solution (LAPS) extension dll.

Message #

The security account manager successfully initialized the Local Administrator Password Solution (LAPS) extension dll.

Description

The security account manager failed to initialize the Local Administrator Password Solution (LAPS) extension dll.

Message #

The security account manager failed to initialize the Local Administrator Password Solution (LAPS) extension dll.

Status:%1

Fields #

Description

The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join.

Message #

The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join.

SDDL Value: %1.

This allow list is configured through group policy in Active Directory.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields #

Description

The security descriptor that contains the computer account re-use allow list being used to validate client requests during domain join is malformed.

Message #

The security descriptor that contains the computer account re-use allow list being used to validate client requests during domain join is malformed.

SDDL Value: %1.

This allow list is configured through group policy in Active Directory.To correct this problem an administrator will need to update the policy and set this value to a valid security descriptor or disable the policy.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields #

Description

The security account manager found a computer account that appears to be orphaned and does not have an existing owner.

Message #

The security account manager found a computer account that appears to be orphaned and does not have an existing owner.

Computer Account: %1
Computer Account Owner: %2

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields #

Description

The security account manager rejected a client request to re-use a computer account during domain join.

Message #

The security account manager rejected a client request to re-use a computer account during domain join.
The computer account and the client identity did not meet the required security validation checks.

Client Account: %3
Computer Account: %1
Computer Account Owner: %2

Check the record data of this event for the NT Error code.
For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Fields #