Windows Security Log Event ID 4964

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
 • Special Logon
Type Success
Corresponding events
in Windows 2003
and before

4964: Special groups have been assigned to a new logon

On this page

For this event to be produced, auditing for SpecialGroups must first be set up. See Event 4908 for setup.

A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry anyone in a Special Group will produce this event when logging on.

Free Security Log Resources by Randy

Description Fields in 4964


  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4
  •  Logon GUID: %5

New Logon:

  •  Security ID:  %6
  •  Account Name:  %7
  •  Account Domain:  %8
  •  Logon ID:  %9
  •  Logon GUID: %10
  •  Special Groups Assigned: %11

Supercharger Free Edition

Centrally manage WEC subscriptions.



Examples of 4964

Special groups have been assigned to a new logon.


Security ID:  SYSTEM
Account Name:  DC08$
Account Domain:  ACME
Logon ID:  0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

New Logon:

Security ID:  ACME\wsmith
Account Name:  wsmith
Account Domain:  ACME
Logon ID:  0x110b51
Logon GUID: {3432a23c-bb03-007e-e951-eeacdf5b5606}
Special Groups Assigned: ACME\WatchGroup

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources