Event ID 609 – User Right Removed
Event ID 609 is logged when a user right is revoked from a user or group. The "User" field, meant to indicate the person who revoked the rights, tends to show the name of the system. Thus, to determine the actual user who revoked the rights, the domain controller's security logs must be checked.
Note: Event 609 is not logged for events such as "Access this computer from the network" or "Logon as a service".
This log data provides the following information:
- User Right
- Removed From
- User Name
- Logon ID
Why does event ID 609 need to be monitored?
- To monitor actions performed by the SYSTEM account
- To monitor the actions of high-value accounts
- To detect anomalies or malicious actions
- To ensure only whitelisted accounts perform certain actions
- To ensure non-active, disabled, external, guest, or other accounts are not used
- To monitor user rights that are restricted
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 609 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4705.