Windows Security Log Event ID 621

Operating Systems Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista
4717  

621: System Security Access Granted

On this page

This event documents the grant of logon rights such as "Access this computer from the network" or "Logon as a service".

Rights, like most other security settings, are defined in group policy objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself. To determine who actually made the rights assignment change you must search the domain controllers' security logs for changes to gpContainer objects (logged by Directory Service auditing). Logon ID allows you to link this event to the prior event 528 or 540 logon event of the user who performed this action.

Assigned To identifies the user or group who was assigned the right. Prefixed by domain name.

This event documents the system name for each logon right as opposed to the more familiar description. Click here for a cross reference.

Note: This event and 622 log changes to strictly logon rights such as "Access this computer from the network" or "Logon as a service" - not to other rights such as "Change the system time" or "Take ownership of files and other objects". See events 608 and 609.

Logon Rights

System name Description
SeNetworkLogonRight Access this computer from the network
SeRemoteInteractiveLogonRight Allow logon through Terminal Services
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyBatchLogonRight Deny logon as a batch job
SeDenyServiceLogonRight Deny logon as a service
SeDenyInteractiveLogonRight Deny logon locally
SeDenyRemoteInteractiveLogonRight Deny logon through Terminal Services
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeInteractiveLogonRight Log on locally

Free Security Log Resources by Randy

Description Fields in 621

  • Access Granted: %4
  • Account Modified: %5
  • Assigned By:
  • User Name: %1
  • Domain:  %2
  • Logon ID: %3

Supercharger Free Edition

 

Examples of 621

System Security Access Granted:
Access Granted: SeRemoteInteractiveLogonRight
Account Modified: ELM\bspears$
Assigned By:
User Name: W3DC$
Domain: ELM
Logon ID: (0x0,0x3E7)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources