Special Groups Logon table modified
On this page
This event is produced when a SID (Security Identifier) is added to SpecialGroups for auditing purposes.
The SpecialGroups string must be added first to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit for auditing of Special Groups to take place.
A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry, auditing of Special Groups takes place.
When a user in a Special Group logs on , Event 4964 is logged.
Note: some documentation refers to groups such as Administrators and Backup Operators as special groups. Do not confuse this with the SpecialGroups designation here. An Administrator can add any group he wishes to be audited.
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.