4902 The Per-user audit policy table was created
Records that, at system startup, the per-user audit policy table was created when a per-user audit policy is defined. It is a reference event indicating the existence of individual audit settings.
Overview
The subcategory is Audit Policy Change. When a per-user audit policy (a mechanism that assigns audit settings to specific users different from the overall policy) is defined, its internal table is created at system startup and this event is generated.
How it is triggered
- At system startup in an environment with a per-user audit policy configured.
Security review points
- A per-user policy can strengthen or weaken auditing of a specific account separately from the overall setting. If an attacker plants a setting that weakens auditing only for their account, their activity becomes harder to record. This event is the startup-time confirmation that “per-user settings exist.”
- Changes to the per-user setting itself are tracked by other audit-policy-change events (4719, etc.).
Notes for log review
- It appears at startup only in environments using a per-user audit policy. Without one, it does not appear.
- If this event appears unexpectedly, it indicates someone may have introduced per-user audit settings, so check the configuration.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject of the startup processing (often the system) |