Logon Logoff Event: 4672

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 4672

Event ID 4672 – Special Privileges Assigned To New Logon

Event ID 4672
Category Logon/Logoff
Sub-Category Special Logon
Type Success Audit
Description Special privileges were assigned to a new logon.

If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Privileges

Why does event ID 4672 need to be monitored?

  • To ensure a non-administrative account does not have unexpected privileges
  • To ensure certain privileges are never granted
  • To monitor specific sensitive privileges

Pro Tip:

ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a domain & OU. The advanced Group Policy settings real-time audit reports emphasize on the elusive change details and comprehensively report the assigned special privileges, both old and new.

Event 4672 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.16
  • Windows 2016 and 10

Corresponding events in Windows 2003 and before: 576