Microsoft Windows: Audit Special Logon

Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances. This subcategory allows you to audit events generated by special logons such as the following: - The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. - A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. (C) Microsoft Corporation 2017.