0

I looked at the System logs on my Vista machine. What is "Special Logon"? did an administrator log onto my PC?

WeDoTDD.com
  • 245
  • 2
  • 5
  • 14

1 Answers1

1

This is something new for Windows 2008 and Vista (..and probably Windows 7). It is used to audit special logons such as administrators or members of a special group.

let me quote from an article:

The Special Logon auditing subcategory is part of a new auditing feature in Server 2008 and Vista called Special Groups. Administrators can use this feature to find out when a member of a certain group logs on to a specific computer. For example, if you have a file server that's reserved for your organization's research department, you'll always have users other than those in the research department who access the file server, such as the server operators in your IT department. If your research department's file server stores confidential information, the department might ask you to generate an audit trail that specifically logs all file server logon events of server operators. In the legacy Windows auditing system, you would need to enable the Audit logon events category for all users, which would log all logons and logoffs on a system, and then filter for the audit events that are related to server operator account logons. In Server 2008 and Vista, you can use GAPs and the Special Logon audit subcategory to log a specific event each time a member of the server operators' group logs on to the research department's file server.

The Special Logon audit subcategory uses a new registry key called SpecialGroups that you can create on the server in which you want to perform granular auditing, such as the research department's file server in the above example. The SpecialGroups key lists the SIDs of important groups for which you want to track the logon events. If the Special Logon audit subcategory is enabled (remember that it's enabled by default for success events), each time a user that's a member of a group listed in the SpecialGroups key logs on to the server the Windows auditing system will generate an event with ID 4964 in the server's security event log

J Sidhu
  • 440
  • 2
  • 4