Monday, 14 October 2013

Event 4672 Special Logon

Event ID 4672

This event get logged whenever an account assigned any 'administrator equivalent' user rights logs on.  For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.

 See Event 4624 Logon types.  You can correlate the event 4672 with 4624 by Logon ID:.
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          14/10/2013 10:54:00 AM
Event ID:      4672
Task Category: Special Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myDC.myDomain.local
Description:
Special privileges assigned to new logon.

Subject:
 Security ID:  myDomain\myDC$
 Account Name:  myDC$
 Account Domain:  myDomain
 Logon ID:  0x44dddca7

Privileges:  SeSecurityPrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeTakeOwnershipPrivilege
   SeDebugPrivilege
   SeSystemEnvironmentPrivilege
   SeLoadDriverPrivilege
   SeImpersonatePrivilege
   SeEnableDelegationPrivilege

Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment