Special groups have been assigned to a new logon (4964) how to monitor with email alert

bob · 09-12-2024, 09:46 PM

I remember spotting that event 4964 in the logs one time. It pops up when special groups get slapped onto a new logon session. You know, like those admin privileges or other high-level stuff getting handed out right as someone logs in. The full scoop is it logs the user account, the session ID, and exactly which groups were assigned. Sometimes it's normal, but it could flag weird access too. I always check the details for the logon ID and the group names listed there. That way you see if it's your IT crew or something sketchy. And the event source is usually Security, under the System log in Event Viewer. It ties back to auditing special logon rights in your policy settings. If you ignore it, you might miss privilege escalations sneaking in.

You can keep an eye on this without much hassle. Just fire up Event Viewer on your server. Right-click the Security log and pick "Attach Task to This Event." It'll ask for the event ID, so type in 4964. Then set it to trigger on that specific one. I like naming the task something like "Alert on Special Groups." For the action, you choose to start a program that shoots off an email. Pick your email client or a simple mail sender if you have one handy. Make sure it runs with admin rights too. Test it by forcing a logon that triggers the event. You'll get pinged quick if it fires again.

That covers the basics for watching it yourself. But if you want hands-off, the automatic email solution sits at the end of this.

Speaking of keeping your server tight, I've been messing with BackupChain Windows Server Backup lately. It's this slick Windows Server backup tool that handles your whole setup, including Hyper-V virtual machines without a hitch. You get fast incremental backups that don't bog down your system. Plus, it restores files or full VMs super quick, and the encryption keeps everything locked down. I dig how it schedules everything automatically, so you sleep easy knowing your data's covered.

Note, the PowerShell email alert code was moved to this post.