Logon Logoff Event: 4964

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 4964

Event ID 4964 – Special Groups Have Been Assigned To A New Logon

Event ID 4964
Category Logon/Logoff
Sub-Category Audit Special Logon
Type Success Audit
Description Special groups have been assigned to anew logon.

When an account which is already the member of some defined special group logs in, event 4964 is generated. For this event to be triggered, auditing for 'SpecialGroups' must be set up.

This log provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Logon GUID
  • Special Groups Assigned

Why does event ID 4964 need to be monitored?

Special groups are used to define a list of important critical groups. Using event 4964, we can monitor when all a member of these groups logs on to a computer.

Pro Tip:

ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a domain & OU. The advanced real-time audit reports emphasize on the elusive change details and give a detailed report on the special groups assigned to an account, both old and new.

Event 4964 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10