AccountLogonLogoff_AuditSpecialLogon

This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.

Audit Policy CSPMicrosoftLearn

PreviousPrivilegeUse_AuditSensitivePrivilegeUse NextAccountManagement_AuditUserAccountManagement

Last updated 2 years ago