Windows Security Log Event ID 4964

4964: Special groups have been assigned to a new logon

On this page

• Description of this event
• Field level details
• Examples
• Discuss this event
• Mini-seminars on this event

For this event to be produced, auditing for SpecialGroups must first be set up. See Event 4908 for setup.

A new feature for Vista and Win2008, Special Groups auditing lets the administrator find out when a member of a certain group logs on to the computer. When an administrator sets a list of group security identifiers (SIDs) in the registry anyone in a Special Group will produce this event when logging on.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4964

Subject:

•  Security ID:  %1
•  Account Name:  %2
•  Account Domain:  %3
•  Logon ID:  %4
•  Logon GUID: %5

New Logon:

•  Security ID:  %6
•  Account Name:  %7
•  Account Domain:  %8
•  Logon ID:  %9
•  Logon GUID: %10
•  Special Groups Assigned: %11

Supercharger Free Edition

 

Discussions on Event ID 4964 Ask a question about this event

 

Upcoming Webinars Correlating Vulnerability Scans with Network Path Analysis to Find and Remediate the Biggest Risks to Your Network and Avoid Wasting Time on the Little Ones Getting all Your Security Information Into One Place and Searching It Like Google Regulating Privileged Access: When to Require Human Approval Workflows WSUS vs. SCCM: Which is the best way to go for security patching? XPath Deep Dive: Building Advanced Filters for Windows Event Collection Top 5 Ways for Analyzing Entitlements and Identifying High-Risk

Additional Resources Security Log Quick Reference Chart

•	All Event IDs
•	Audit Policy