Windows Security Log Event ID 4908

4908: Special Groups Logon table modified

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event is produced when a SID (Security Identifier) is added to SpecialGroups for auditing purposes.

The SpecialGroups string must be added first to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit for auditing of Special Groups to take place.

A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry, auditing of Special Groups takes place.

When a user in a Special Group logs on , Event 4964 is logged.

Note: some documentation refers to groups such as Administrators and Backup Operators as special groups. Do not confuse this with the SpecialGroups designation here. An Administrator can add any group he wishes to be audited.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4908

• Special Groups: %1

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy