Audit Special Logon

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when:

• A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.

• A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=120183).

Users holding special privileges can potentially make changes to the system. It is recommended to track their activity.

Event volume: Low

Default: Success

If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.