Changes to a user s privileges or attempts to use privileges in an unauthorized manner might require investigation. These events help support these queries.
Parameters: Special privileges assigned to the new user (SeChangeNotifyPrivilege, SeAuditPrivilege, SeCreateTokenPrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege), user name, domain, logon ID, privileges.
Configurable Information: Success
Formal name: SE_AUDITID_ ASSIGN_SPECIAL_PRIV
This event message is generated when the user logs on.
Parameters: Privileged service called, server, service, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_ PRIVILEGED_SERVICE
Callers of PrivilegedServiceAuditAlarm generate this event.
Parameters: Privileged object operation, object server, object handle, process ID, primary user name, primary domain, primary logon ID, client user name, client domain, client logon ID, privileges.
Configurable Information: Success
Formal name: SE_AUDITID_PRIVILEGED_OBJECT