Windows Security Log Event ID 621

Operating Systems	Windows 2003 and XP
Category	Policy Change
Type	Success
Corresponding events in Windows 2008 and Vista	4717

621: System Security Access Granted

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This event documents the grant of logon rights such as "Access this computer from the network" or "Logon as a service".

Rights, like most other security settings, are defined in group policy objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself. To determine who actually made the rights assignment change you must search the domain controllers' security logs for changes to gpContainer objects (logged by Directory Service auditing). Logon ID allows you to link this event to the prior event 528 or 540 logon event of the user who performed this action.

Assigned To identifies the user or group who was assigned the right. Prefixed by domain name.

This event documents the system name for each logon right as opposed to the more familiar description. Click here for a cross reference.

Note: This event and 622 log changes to strictly logon rights such as "Access this computer from the network" or "Logon as a service" - not to other rights such as "Change the system time" or "Take ownership of files and other objects". See events 608 and 609.

Logon Rights

System name	Description
SeNetworkLogonRight	Access this computer from the network
SeRemoteInteractiveLogonRight	Allow logon through Terminal Services
SeDenyNetworkLogonRight	Deny access to this computer from the network
SeDenyBatchLogonRight	Deny logon as a batch job
SeDenyServiceLogonRight	Deny logon as a service
SeDenyInteractiveLogonRight	Deny logon locally
SeDenyRemoteInteractiveLogonRight	Deny logon through Terminal Services
SeBatchLogonRight	Log on as a batch job
SeServiceLogonRight	Log on as a service
SeInteractiveLogonRight	Log on locally

Free Security Log Resources by Randy

Description Fields in 621

Access Granted: %4
Account Modified: %5
Assigned By:
User Name: %1
Domain: %2
Logon ID: %3

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 621

System Security Access Granted:
Access Granted: SeRemoteInteractiveLogonRight
Account Modified: ELM\bspears$
Assigned By:
User Name: W3DC$
Domain: ELM
Logon ID: (0x0,0x3E7)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 621

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.