Q: What is the audit policy subcategory Special Logon, and what is it used for?

A: An important auditing change in Windows Server 2008 and Windows Vista is the ability to define Granular Audit Policies (GAPs). In older OSs, Windows audit policy lets you configure auditing for only a limited set of high-level auditing categories such as logon events (events at the console level), account logon events (events at the domain controller level) , object access, and system events. In Server 2008 and Vista, you can configure audit policies for subcategories of the legacy high-level audit categories. For example, logon events are split into subcategories such as logon, logoff, and account lockout. These GAPs can be configured only from the command line using the Auditpol tool (auditpol.exe); you can't configure them in the Microsoft Management Console (MMC) Local Security Policy or Group Policy Object Editor snap-ins.

One of the GAP subcategories in Auditpol's Logon/Logoff audit category is Special Logon, shown here in the Auditpol list. Special Logon is enabled by default for success events.

The Auditpol list. Click to expand.

The Special Logon auditing subcategory is part of a new auditing feature in Server 2008 and Vista called Special Groups. Administrators can use this feature to find out when a member of a certain group logs on to a specific computer. For example, if you have a file server that's reserved for your organization's research department, you'll always have users other than those in the research department who access the file server, such as the server operators in your IT department. If your research department's file server stores confidential information, the department might ask you to generate an audit trail that specifically logs all file server logon events of server operators. In the legacy Windows auditing system, you would need to enable the Audit logon events category for all users, which would log all logons and logoffs on a system, and then filter for the audit events that are related to server operator account logons. In Server 2008 and Vista, you can use GAPs and the Special Logon audit subcategory to log a specific event each time a member of the server operators' group logs on to the research department's file server.

The Special Logon audit subcategory uses a new registry key called SpecialGroups that you can create on the server in which you want to perform granular auditing, such as the research department's file server in the above example. The SpecialGroups key lists the SIDs of important groups for which you want to track the logon events. If the Special Logon audit subcategory is enabled (remember that it's enabled by default for success events), each time a user that's a member of a group listed in the SpecialGroups key logs on to the server the Windows auditing system will generate an event with ID 4964 in the server's security event log.

If you look at the details of such an event in the MMC Event Viewer snap-in, you'll see the message Special groups have been assigned to a new logon, as shown here. The event also lists the account name of the user, the special groups the user is a member of, the machine the event occurred on and the date and time when the event occurred. The use of the special event ID 4694 makes it easy to track these events.

The Event Viewer message. Click to expand.

This Special Logon auditing feature uses the fact that when a user logs on to Windows, a list of the groups that the user is a member of is stored in the user's access token. The access token is the Windows security construct that contains the user's security information (e.g., SID, user group memberships, user rights) for the logon session. To look at the content of your personal access token, use the Whoami (whoami.exe) command-line tool.

The SpecialGroups registry key is a string (REG_SZ) registry value that must be created in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit registry container. If you want to track logon events for groups, you must specify their SIDs, separated by semicolons, in the SpecialGroups registry key. To find the SID of a group, use the PsGetSid command-line utility available from Microsoft's Sysinternals site or as part of Sysinternals' PsTools set. The screenshot below shows how to retrieve the SID of the Server Operators group using PsGetSid.

How to retrieve an SID. Click to expand.

The Special Logon auditing feature is documented in the Microsoft article "Description of the Special Groups feature in Windows Vista and in Windows Server 2008."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.