Object Access Event: 4656

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 4656

Event ID 4656 – A Handle To An Object Was Requested

Event ID 4656
Category Object Access
Sub-Category Audit File System; Audit Kernel Object; Audit Registry
Type Success Audit; Failure Audit
Description A handle to an object was requested.

When specific access is requested for an object, event ID 4656 is logged. The object for which access is requested can be of any type — file system, kernel, registry object, or a file system object stored on a removable device.

If access is denied, it is logged as a failure audit. This event shows the result of the access request (which is logged by 4663).

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Object Server
  • Object Type
  • Object Name
  • Handle ID
  • Resource Attributes
  • Process ID
  • Process Name
  • Transaction ID
  • Access Type
  • Access Reasons
  • Access Mask
  • Privileges Used for Access Check
  • Restricted SID Count

Why does event ID 4656 need to be monitored?

  • To check if unauthorized or restricted processes are requesting objects
  • If a particular object is sensitive and critical, and all access attempts need to be monitored
  • To monitor actions of high value accounts
  • To detect anomalies and malicious actions
  • To ensure non-active, external, and restricted accounts are not used
  • To ensure that only white-listed accounts perform certain specific actions
  • To enforce conventions and compliances

Pro Tip:

ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.

Event 4656 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Corresponding event in Windows 2003 and before: 560.