NT Gatekeeper: Detecting User Rights Changes

What's the easiest way to detect user rights changes on a Windows NT 4.0 system? I'd like to find out which accounts have used the Change the system time user privilege on a particular system.

Use the NT Event Viewer to check your NT 4.0 system's Security event log. Security event ID 577 or event ID 578 indicates an attempt to change user rights. As Figure 1 shows, the event details show the username of the account that performed the action, as well as the privilege's string constant (which appears in the Privileges entry). The string constant for the Change the system time user right is SeSystemtimePrivilege. Table 1, page 16, shows a list of the NT 4.0 privileges and their corresponding string constants. These security events are logged only if you've enabled Use of User Rights auditing for your system or domain.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish