Auditing of Object Access: SAM events on failure should be enabled or disabled as appropriate. The policy setting enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. SAM objects include the following: * SAM_ALIAS: A local group * SAM_GROUP: A group that is not a local group * SAM_USER: A user account * SAM_DOMAIN: A domain * SAM_SERVER: A computer account. If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts. Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events. Fix: (1) GPO: Commandline: auditpol.exe (2) REG: NO INFO