Windows Security Log Event ID 4908
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Policy Change • Audit Policy Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
4908: Special Groups Logon table modified
On this page
This event is produced when a SID (Security Identifier) is added to SpecialGroups for auditing purposes.
The SpecialGroups string must be added first to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit for auditing of Special Groups to take place.
A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry, auditing of Special Groups takes place.
When a user in a Special Group logs on , Event 4964 is logged.
Note: some documentation refers to groups such as Administrators and Backup Operators as special groups. Do not confuse this with the SpecialGroups designation here. An Administrator can add any group he wishes to be audited.
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
Free Security Log Resources by Randy
Supercharger Free Edition
Your entire Windows Event Collection environment on a single pane of glass.
Free.