Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Description of the Special Groups feature in Windows Vista and in Windows Server 2008


View products that this article applies to.

Introduction

Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets the administrator find out when a member of a certain group logs on to the computer. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry. An audit event is logged in the Security log if the following conditions are true:
  • Any of the group SIDs is added to an access token when a group member logs on.

    Note An access token contains the security information for a logon session. Also, the token identifies the user, the user's groups, and the user's rights.
  • In the audit policy settings, the Special Logon feature is enabled.

↑ Back to the top


More information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To specify the list of the special groups, add the SpecialGroups registry entry. To do this, follow these steps:
  1. Click Start, type regedit in the Start Search box, and then press ENTER.

    Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
  3. On the Edit menu, point to New, and then click String Value.
  4. Type SpecialGroups, and then press ENTER.
  5. Right-click SpecialGroups, and then click Modify.
  6. In the Value date box, type the group SIDs, and then click OK.

    Notes
    • A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that contains a semicolon to delimit two SIDs:
      S-1-5-32-544;S-1-5-32-123-54-65
    • There is no restriction on the number of SIDs that you can enter in the Value date box.
  7. Exit Registry Editor.
When a user logs on, the Special Groups feature checks whether the SIDs in the access token belong to a special group. If the user belongs to one or more special groups, an audit event is logged in the Security event log that resembles the following event:

Event ID: 4964
Special groups have been assigned to a new logon.
Subject:
Security ID: Computer SID
Account Name: Computer Name
Account Domain: Computer Account Domain
Logon ID: Computer Logon ID
Logon GUID: Computer Logon GUID

New Logon:
Security ID: User SID
Account Name: User Account Name
Account Domain: User Account Domain
Logon ID: User Logon ID
Logon GUID: User Logon GUID
Special Groups Assigned: Group SID

↑ Back to the top


Keywords: KB947223, kbinfo, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 947223
Revision : 5
Created on : 1/22/2008
Published on : 1/22/2008
Exists online : False
Views : 602