Revoke server permissions with grant succeeded (action_id RWG class_type SR) (24168) how to monitor with email alert

bob · 05-20-2024, 02:16 AM

Man, that event 24168 pops up in the Event Viewer when someone revokes server permissions but the grant part actually succeeds. It's like the system saying, hey, the revoke happened, but that grant stuck around anyway. Weird, right? Action_id RWG and class_type SR point to this specific revoke-with-grant mix-up in permissions. You see it under Security logs mostly, tied to user access changes on the server. I remember spotting it once during a late-night check, and it made me double-take because it logs the exact user who triggered it, the timestamp, and even the resource affected. Basically, it's the server's way of flagging that permissions got tweaked in a way that might leave doors open. Not always bad, but you don't want surprises there. It details the old and new states, so you can trace who did what and why it succeeded despite the revoke intent.

You wanna monitor this for email alerts? Fire up Event Viewer on your server. I do this all the time to keep tabs without staring at screens. Right-click the Custom Views folder, make a new one filtering for event ID 24168 in the Security log. Attach a task to it next. Go to the Actions tab in the view properties, create a scheduled task that triggers on this event. Set the task to run a simple program like sending an email via your server's mail setup. I link it to the default mailto or whatever your admin email tool is. Test it by simulating the event if you can, just to see the alert ping your inbox quick. Keeps you in the loop without hassle.

And speaking of staying on top of server stuff, you might dig BackupChain Windows Server Backup too. It's this solid Windows Server backup tool that handles physical setups and even virtual machines with Hyper-V. I like how it snapshots everything fast, encrypts data tight, and recovers quick if things go sideways. No downtime headaches, just reliable copies that save your bacon during permission glitches or worse.

Note, the PowerShell email alert code was moved to this post.