WinSecWiki > Security Settings > Local Policies > User Rights > Tracking Rights

Tracking User Rights with the Security Log

You can detect when an account with any admin rights logs on by looking for event ID 576/4674 in the security log.

You can detect changes in assignments of most rights using event IDs 608/4704 and 609/4705 in the security log. These 2 events do not track assignments or revocations of logon rights. To track changes in assignment of logon rights look for event IDs 621/4717 and 622/4718.

Back to top


Additional Resources