Revoke server permissions succeeded (action_id R class_type SR) (24166) how to monitor with email alert

[bob]

You ever notice those logs popping up in Event Viewer on your Windows Server? That event ID 24166, it's all about revoking server permissions successfully. The message says "Revoke server permissions succeeded (action_id R class_type SR)". Picture this, someone or some process just pulled back access rights from a user or group on the server. It logs the action ID as R, which flags the revoke part, and class_type SR points to the specific server resource involved. This happens in the security channel, usually under Microsoft-Windows-Security-Auditing. Why does it matter? It shows your system tightened up controls, like kicking out unwanted access. But if it's firing too often, maybe check for suspicious patterns. I mean, you don't want ghosts in your machine messing with perms. This event captures the exact timestamp, the account that triggered it, and the object whose perms got yanked. It's detailed, right down to the security ID of the user. And it confirms the action wrapped up without a hitch. Hmmm, sometimes these revokes come from admin tools or policies enforcing least privilege. You can filter for it in Event Viewer by ID alone. Just right-click the log, pick filter, slap in 24166. It'll show you the whole trail. Now, to watch it with an email alert, fire up Event Viewer on your server. Go to the custom views section, create a new one based on that security log. Set it to snag event ID 24166. Save that view. Then, right-click it and attach a task to the event. You pick create task from there. In the task wizard, name it something like Permission Revoke Alert. Under triggers, it auto-links to your view. For actions, choose send an email. Yeah, you input your SMTP server details, the to and from addresses. Make sure to add a subject like Urgent: Perms Revoked on Server. And in the body, use placeholders for event details so it spits out the log info. Set it to run whether user logged on or not, highest privileges. Test it by triggering a revoke manually if you can. That way, emails ping you right when it happens. Or, if it's quiet, you sleep easy knowing it's covered. But wait, for that hands-off vibe, at the end here is the automatic email solution. Switching gears to backups, since perms like this tie into keeping your server safe from mishaps, I've been digging BackupChain Windows Server Backup lately. It's this slick Windows Server backup tool that handles physical setups and even Hyper-V virtual machines without breaking a sweat. You get fast incremental backups, easy restores, and it dodges those common pitfalls like lockups during imaging. Plus, the deduping saves tons of space, and it's got solid encryption for your data peace of mind.

Note, the PowerShell email alert code was moved to this post.