Event ID 4672 – Special Privileges Assigned To New Logon
|Description||Special privileges were assigned to a new logon.|
If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
Why does event ID 4672 need to be monitored?
- To ensure a non-administrative account does not have unexpected privileges
- To ensure certain privileges are never granted
- To monitor specific sensitive privileges
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a domain & OU. The advanced Group Policy settings real-time audit reports emphasize on the elusive change details and comprehensively report the assigned special privileges, both old and new.
Event 4672 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.16
- Windows 2016 and 10
Corresponding events in Windows 2003 and before: 576