Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system generates audit events when:
Event volume: Low
Default: Success
If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
-
A special logon is used. A special logon is a logon that has
administrator-equivalent privileges and can be used to elevate a process
to a higher level.
-
A member of a special group logs on. Special Groups is a Windows
feature that enables the administrator to find out when a member of a
certain group has logged on. The administrator can set a list of group
security identifiers (SIDs) in the registry. If any of these SIDs is
added to a token during logon and this auditing subcategory is enabled, a
security event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=120183).
Event volume: Low
Default: Success
If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event message |
|---|---|
|
4964 |
Special groups have been assigned to a new logon. |
No comments:
Post a Comment