Audit Special Logon

Applies to

  • Windows 10
  • Windows Server 2016

Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.

This subcategory allows you to audit events generated by special logons such as the following:

  • The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.

  • A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.

Event volume:

  • Low on a client computer.

  • Medium on a domain controllers or network servers.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No This subcategory is very important because of Special Groups related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No This subcategory is very important because of Special Groups related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No This subcategory is very important because of Special Groups related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4964(S): Special groups have been assigned to a new logon.

  • 4672(S): Special privileges assigned to new logon.