Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets the administrator find out when a member of a certain group logs on to the computer. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry. An audit event is logged in the Security log if the following conditions are true:
- Any of the group SIDs is added to an access token when a group member logs on.
Note An access token contains the security information for a logon session. Also, the token identifies the user, the user's groups, and the user's rights.
- In the audit policy settings, the Special Logon feature is enabled.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To specify the list of the special groups, add the SpecialGroups registry entry. To do this, follow these steps:
- Click Start, type regedit in the Start Search box, and then press ENTER.
Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
- On the Edit menu, point to New, and then click String Value.
- Type SpecialGroups, and then press ENTER.
- Right-click SpecialGroups, and then click Modify.
- In the Value date box, type the group SIDs, and then click OK.
- Exit Registry Editor.
When a user logs on, the Special Groups feature checks whether the SIDs in the access token belong to a special group. If the user belongs to one or more special groups, an audit event is logged in the Security event log that resembles the following event:
Event ID: 4964
Special groups have been assigned to a new logon.
Security ID: Computer SID
Account Name: Computer Name
Account Domain: Computer Account Domain
Logon ID: Computer Logon ID
Logon GUID: Computer Logon GUID
Security ID: User SID
Account Name: User Account Name
Account Domain: User Account Domain
Logon ID: User Logon ID
Logon GUID: User Logon GUID
Special Groups Assigned: Group SID