Event Id | 576 |
Source | Security |
Description | Special privileges assigned to new logon: User Name: %1 Domain: %2 Logon ID: %3 Assigned: %4 |
Event Information | According To Microsoft Cause This behavior can occur when the audit policy includes auditing for the successful use of user rights. RESOLUTION: Change the audit policy to discontinue auditing for the successful use of user rights MORE INFORMATION To change the audit policy to stop auditing the successful use of user rights, follow these steps: For Windows NT 4.0 1. Start User Manager for Domains. 2. On the Policies menu, click Audit. 3. In the Audit Policy dialog box, for the object Use of User Rights, click to clear the Success check box, and then click OK. 4. Quit User Manager for Domains For Windows 2000 Server If you set the audit policy on a domain basis 1. Under Administrative Tools, launch the Domain Security Policy. 2. Under Security Settings click Local Policies, and then click audit Policy. 3. Click Audit Privlege Use and click to clear the Success check box. 4. At the command line type secedit /refreshpolicy machine_policy If you set the audit policy at the local computer 1. Under Administrative Tools, launch the Local Security Policy. 2. Under Security Settings click Local Policies, and then click Audit Policy. 3. Click Audit Privledge Use and click to clear the Success check box. 4. At the command line, type secedit /refreshpolicy machine_policy. Cause: This event record indicates that a privilege that is not auditable on an individual-use basis has been assigned to a users security context at logon. Certain privileges have security implications. Assigning such privileges to a user who is not trusted can be a security risk. Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple ti |
Reference Links | More Information Event ID 576 Fills the Security Event Log When Auditing Alternate Event ID in Vista and Windows Server 2008 is 4672. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.