Windows Security Log Event ID 6272

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Logon/Logoff
 • Network Policy Server
Type Success
Corresponding events
in Windows 2003
and before		  

6272: Network Policy Server granted access to a user

On this page

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

With the release of Server 2016, version 2 of the event was added.  Server 2016 has the following modifications:

  • Removed OS-version
  • Removed Proxy Policy Name
  • Added Connection Request Policy Name
  • Added Logging Results
  • Removed Quarantine Information and its child fields

Free Security Log Resources by Randy

Description Fields in 6272

User:

  • Security ID
  • Account Name
  • Account Domain
  • Fully Qualified Account Name

Client Machine:

  • Security ID
  • Account Name
  • Fully Qualified Account Name
  • OS-Version (Removed in 2016)
  • Called Station Identifier
  • Calling Station Identifier

NAS:

  • NAS IPv4 Address
  • NAS IPv6 Address
  • NAS Identifier
  • NAS Port-Type
  • NAS Port

RADIUS Client:

  • Client Friendly Name
  • Client IP Address

Authentication Details:

  • Connection Request Policy Name
  • Proxy Policy Name (Removed in 2016)
  • Network Policy Name
  • Authentication Provider
  • Authentication Server
  • Authentication Type
  • EAP Type
  • Account Session Identifier
  • Logging Results (Added in 2016)

Quarantine Information (removed in 2016)

  • Result (Removed in 2016)
  • Session Identifier (Removed in 2016)

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 6272

2016 and later

Network Policy Server granted access to a user.

User:

   Security ID:   %1
   Account Name:   %2
   Account Domain:   %3
   Fully Qualified Account Name: %4

Client Machine:

   Security ID:   %5
   Account Name:   %6
   Fully Qualified Account Name: %7
   Called Station Identifier:  %8
   Calling Station Identifier:  %9

NAS:

   NAS IPv4 Address:  %10
   NAS IPv6 Address:  %11
   NAS Identifier:   %12
   NAS Port-Type:   %13
   NAS Port:   %14

RADIUS Client:

   Client Friendly Name:  %15
   Client IP Address:   %16
  
Authentication Details:

   Connection Request Policy Name:  %17
   Network Policy Name:  %18
   Authentication Provider:  %19
   Authentication Server:  %20
   Authentication Type:  %21
   EAP Type:   %22
   Account Session Identifier:  %23
   Logging Results: %24

2012r2

Network Policy Server granted access to a user.

User:

   Security ID:   %1
   Account Name:   %2
   Account Domain:   %3
   Fully Qualified Account Name: %4

Client Machine:

   Security ID:   %5
   Account Name:   %6
   Fully Qualified Account Name: %7
   OS-Version:   %8
   Called Station Identifier:  %9
   Calling Station Identifier:  %10

NAS:

   NAS IPv4 Address:  %11
   NAS IPv6 Address:  %12
   NAS Identifier:   %13
   NAS Port-Type:   %14
   NAS Port:   %15

RADIUS Client:

   Client Friendly Name:  %16
   Client IP Address:   %17
  
Authentication Details:

   Proxy Policy Name:  %18
   Network Policy Name:  %19
   Authentication Provider:  %20
   Authentication Server:  %21
   Authentication Type:  %22
   EAP Type:   %23
   Account Session Identifier:  %24

Quarantine Information:

   Result:    %25
   Session Identifier:   %26

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!