Event ID 4672
This event get logged whenever an account assigned any ‘administrator equivalent’ user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.
See Event 4624 Logon types. You can correlate the event 4672 with 4624 by Logon ID:.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 14/10/2013 10:54:00 AM Event ID: 4672 Task Category: Special Logon Level: Information Keywords: Audit Success User: N/A Computer: myDC.myDomain.local Description: Special privileges assigned to new logon. Subject: Security ID: myDomainmyDC$ Account Name: myDC$ Account Domain: myDomain Logon ID: 0x44dddca7 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeEnableDelegationPrivilege
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer
Advertisement