Event ID - 576

Event Id576
SourceSecurity
DescriptionSpecial privileges assigned to new logon:
User Name: %1
Domain: %2
Logon ID: %3
Assigned: %4
Event InformationAccording To Microsoft
Cause

This behavior can occur when the audit policy includes auditing for the successful use of user rights.

RESOLUTION:
Change the audit policy to discontinue auditing for the successful use of user rights

MORE INFORMATION
To change the audit policy to stop auditing the successful use of user rights, follow these steps:

For Windows NT 4.0
1. Start User Manager for Domains.
2. On the Policies menu, click Audit.
3. In the Audit Policy dialog box, for the object Use of User Rights, click to clear the Success check box, and then click OK.
4. Quit User Manager for Domains

For Windows 2000 Server
If you set the audit policy on a domain basis
1. Under Administrative Tools, launch the Domain Security Policy.
2. Under Security Settings click Local Policies, and then click audit Policy.
3. Click Audit Privlege Use and click to clear the Success check box.
4. At the command line type secedit /refreshpolicy machine_policy
If you set the audit policy at the local computer
1. Under Administrative Tools, launch the Local Security Policy.
2. Under Security Settings click Local Policies, and then click Audit Policy.
3. Click Audit Privledge Use and click to clear the Success check box.
4. At the command line, type secedit /refreshpolicy machine_policy.


Cause:
This event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a users security context at logon. Certain privileges have security implications. Assigning such privileges to a user who is not trusted can be a security risk. Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple ti
Reference LinksMore Information

Event ID 576 Fills the Security Event Log When Auditing

Alternate Event ID in Vista and Windows Server 2008 is 4672.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.