Windows Security Log Event ID 4908

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before

4908: Special Groups Logon table modified

On this page

This event is produced when a SID (Security Identifier) is added to SpecialGroups for auditing purposes.

The SpecialGroups string must be added first to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit for auditing of Special Groups to take place.

A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry, auditing of Special Groups takes place.

When a user in a Special Group logs on , Event 4964 is logged.

Note: some documentation refers to groups such as Administrators and Backup Operators as special groups. Do not confuse this with the SpecialGroups designation here. An Administrator can add any group he wishes to be audited.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

Free Security Log Resources by Randy

Description Fields in 4908

  • Special Groups: %1

Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 4908

Special Groups Logon table modified.

Special Groups: BUILTIN\Backup Operators

This event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources