What is event ID 4674?

Event 4674 indicates that the specified user exercised the user right specified in the Privileges field. Note: “User rights” and “privileges” are synonymous terms used interchangeably in Windows. Some user rights are logged by 4674 – others by 4673.

What is SeSecurityPrivilege?

SeSecurityPrivilege is the short name for the Manage auditing and the security log right. This right lets you use Event Viewer to both view and clear the Security log and edit the audit control list of objects such as files, folders, printers, registry keys, and Active Directory (AD) objects.

What is object server LSA?

The LSA stores local security policy information in a set of objects. Your application can query or edit the local security policy by accessing these objects. The set consists of the following four objects: Policy contains global policy information. TrustedDomain contains information about a trusted domain.

What is SeAssignPrimaryTokenPrivilege?

SeAssignPrimaryTokenPrivilege. Replace a process-level token. Required to assign the primary token of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.

What is Windows security Event ID 4672 and what does it indicate?

4672: Special privileges assigned to new logon. This event lets you know whenever an account assigned any “administrator equivalent” user rights logs on. For instance you will see event 4672 in close proximity to logon events (4624) for administrators since administrators have most of these admin-equivalent rights.

What does a user’s local group membership was enumerated mean?

4798: A user’s local group membership was enumerated. Windows logs this event when a process enumerates the local groups to which a the specified user belongs on that computer.

What is LSA in domain controller?

Local Security Authority (LSA) is a Microsoft Windows protected subsystem that is part of the Windows Client Authentication Architecture which authenticates and creates logon Session to the Local Computer.

What is Audit object access?

The Audit object access policy handles auditing access to all objects outside AD. The first use you might think of for the policy is file and folder auditing, but you can use it to audit access to any type of Windows object including registry keys, printers, and services.

What does event ID 4674 mean?

Event ID 4674 – An operation was attempted on a privileged object. Windows logs event ID 4674 to register that a user has a set of special privileges when the user logs in.

What is a privileged use event?

The event is described as Privileged use, subcategory Sensitive privileges exercised by User rights/Privileges (interchangeable/synonymous) OR An operation was attempted on a privileged object. But the type is typically set to display a succesful audit.

What is the difference between failure event and sesecurityprivilege event?

This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used. Failure event generates when operation attempt fails.

What is a privileged object for account operators?

“Account Operators can’t manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators.” So the “privileged object” is simply a VIP account of someone with privileges higher than the managing Account Operator member.