Event ID 608 – User Right Assigned
When there is a change to the user rights assignments on a computer, Windows logs event ID 608. Rights that are defined in group policy objects are applied by the computer.
The "User" field, meant to indicate the person who assigned or modified the rights, tends to show the name of the system. Thus, to determine the actual user who made the rights assignment changes, the domain controller's security logs must be checked.
Note: Event 608 is not logged for events such as "Access this computer from the network" or "Logon as a service".
This log data provides the following information:
- User Right
- Assigned To
- User Name
- Logon ID
Why does event ID 608 need to be monitored?
- To monitor actions performed by the SYSTEM account
- To monitor the actions of high-value accounts
- To detect anomalies or malicious actions
- To ensure only whitelisted accounts perform certain actions
- To ensure non-active, disabled, external, guest, or other accounts are not used
- To monitor user rights that are restricted
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 608 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4704
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools