 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the privileged use category of advanced security auditing for Windows Server. This category of policies allows you to track the use of permissions on computers. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that you can find in the linked playlist in the description. Some of these topics are a bit dry, but we attempted to make them so you'd be able to review information about advanced auditing in a more digestible format. As a Windows Server administrator, you should have a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. Privileged use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following policies, audit nonsensitive privilege use, audit sensitive privilege use, audit other privilege use events. The audit nonsensitive privilege use policy generates events that show usage of nonsensitive privileges. If you configure this policy setting, an audit event is generated when a nonsensitive privilege is called. Success audits record successful attempts and failure audits record unsuccessful attempts. This is a list of nonsensitive privileges that will trigger events. Access credential manager as a trusted caller, added workstations to domain, adjust memory quotas for a process, bypass traverse checking, change the system time, change the time zone, create a page file, create global objects, create permanent shared objects, create symbolic links, or shut down from a remote system, increase a process working set, increase scheduling priority, lock pages in memory, modify an object label, perform volume maintenance tasks, profile single process, profile system performance, remove computer from docking station, shut down the system, synchronize directory service data. This subcategory also contains informational events from file system transaction manager. The following events will be enabled if you configure auditing through this policy. 4673, a privileged service was called. 4674, an operation was attempted on a privileged object. 4985, the state of a transaction has changed. The audit sensitive privilege use policy generates events that show the usage of sensitive privileges. This is the list of sensitive privileges. Act as part of the operating system. Backup files and directories. Restore files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate the client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process level token. Take ownership of files or other objects. The use of two privileges, backup files and directories, and restore files and directories. Generate events only if the audit audit the use of backup and restore privilege group policy setting is enabled on the computer or device. The following events will be enabled if you configure auditing through this policy. 4673, a privileged service was called. 4674, an operation was attempted on a privileged object. 4985, the state of a transaction has changed. The audit other privilege use events auditing subcategory generates only one event, which is generated by the file system transaction manager. A transaction manager is an instance of a log. 4985, the state of a transaction has changed. This video provided an introduction to Windows Server advanced security object access audit policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture, but will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.