\ Event ID 672 - Authentication Ticket Granted

Account Logon Event: 672

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Account Logon Event ID 672 - Authentication Ticket Granted

Event ID 672 - Authentication Ticket Granted

Event ID 672
Category Account Logon
Description An authentication ticket was granted

When an authentication ticket is granted in Active Directory, event ID 672 is logged.

This log data gives the following information:

User Name
Supplied Realm Name
User ID
Service Name
Service ID
Ticket Options
Result Code
Ticket Encryption Type
Pre-Authentication Type
Client Address
Certificate Issuer Name
Certificate Serial Number
Certificate Thumbprint

Why event ID 672 needs to be monitored?

  • Prevention of privilege abuse
  • Detection of potential malicious activity
  • Operational purposes like getting information on user activity like user attendance, peak logon times, etc.
  • Compliance mandates

Pro tip:

ADAudit Plus account logon real-time pre-configured reports help identify miscreant users attempting logon into machines that requires elevated privileges and provide evidence for any action administered by any user. These reports can be advantageously in overcoming account logon audit challenges.

Event 672 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID for 672 in Windows Server 2008 and Vista is 4768