In Microsoft Windows, the Security Log is a log that records login/logout activity as well as other security-related events as defined by the system’s audit policy. Administrators can set up Windows to record operating system activity in the Security Log by using auditing.

Windows has five different “logon kinds” that you can use to sign on. Every time you log on, the Windows Security Log records the logon type as event ID 4624. You can find out the user’s logon type to find out if they logged on directly at the console, remotely, through a network share, or as part of a service or scheduled job that was just commencing.

You can manage users’ ability to log on in any of these five methods in addition to knowing the session type in logon events. Five user rights can be found in the group policy under Computer Configuration/Windows Settings/Security Setting/User Right Assignments and control whether a user account can log on. Each login type has an allow and deny option. You need to own the necessary allow right in order to login in a certain manner.

Events 4717 and 4718 use the system name for the right as stated in the corresponding column in the table above to identify the login right in question in the “Access Granted”/”Access Removed” field. The “Account Modified” field of the events additionally contains information about the person or organization to whom the right was granted or revoked.

So how can you ascertain who has been awarded or denied the right? Talk to one of our professionals today.