This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.
No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.
Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets the administrator find out when a member of a certain group logs on to the computer. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry. An audit event is logged in the Security log if the following conditions are true:
Any of the group SIDs is added to an access token when a group member logs on.
Note An access token contains the security information for a logon session. Also, the token identifies the user, the user's groups, and the user's rights.
In the audit policy settings, the Special Logon feature is enabled.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To specify the list of the special groups, add the SpecialGroups registry entry. To do this, follow these steps:
Click Start, type regedit in the Start Search box, and then press ENTER.
Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
On the Edit menu, point to New, and then click String Value.
Type SpecialGroups, and then press ENTER.
Right-click SpecialGroups, and then click Modify.
In the Value date box, type the group SIDs, and then click OK.
A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that contains a semicolon to delimit two SIDs:
There is no restriction on the number of SIDs that you can enter in the Value date box.
Exit Registry Editor.
When a user logs on, the Special Groups feature checks whether the SIDs in the access token belong to a special group. If the user belongs to one or more special groups, an audit event is logged in the Security event log that resembles the following event:
Event ID: 4964 Special groups have been assigned to a new logon. Subject: Security ID: Computer SID Account Name: Computer Name Account Domain: Computer Account Domain Logon ID: Computer Logon ID Logon GUID: Computer Logon GUID
New Logon: Security ID: User SID Account Name: User Account Name Account Domain: User Account Domain Logon ID: User Logon ID Logon GUID: User Logon GUID Special Groups Assigned: Group SID