Event ID: 4672
Special privileges assigned to new logonSpecial privileges assigned to new logon.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Privileges: %5This event is generated for new account logons whenever one of the following sensitive privileges is assigned to the logon session. For a complete list of privileges see the insertion string below.
| Privilege | Description |
|---|---|
| SeTcbPrivilege | Act as part of the operating system |
| SeBackupPrivilege | Back up files and directories |
| SeCreateTokenPrivilege | Create a token object |
| SeDebugPrivilege | Debug programs |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation |
| SeAuditPrivilege | Generate security audits |
| SeImpersonatePrivilege | Impersonate a client after authentication |
| SeLoadDriverPrivilege | Load and unload device drivers |
| SeSecurityPrivilege | Manage auditing and security log |
| SeSystemEnvironmentPrivilege | Modify firmware environment values |
| SeAssignPrimaryTokenPrivilege | Replace a process-level token |
| SeRestorePrivilege | Restore files and directories |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects |
Auditing:
Conditional
Enable auditing if you are utilizing the "Special Groups" windows feature.
Volume:
Low
When "Special Groups" are enabled, volume depends on the configuration and types of users logging on.
Every logon of the SYSTEM account triggers this event.
Microsoft Documentation
| Name | Field | Insertion String | OS | Example | ||
|---|---|---|---|---|---|---|
| Security ID | SubjectUserSid | %1 | Any | THEDOMAIN\UserThree | ||
| Account Name | SubjectUserName | %2 | Any | UserThree | ||
| Account Domain | SubjectDomainName | %3 | Any | THEDOMAIN | ||
| Logon ID | SubjectLogonId | %4 | Any | 0x345423 | ||
| Privileges | PrivilegeList | %5 | Any | View Codes | ||
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Special Logon"
LEFT/RIGHT arrow keys for navigation
Back to List