🎉 Our Microsoft 365 Reporting & Management Tool is available in Marketplace 🚀
Active Directory

How to Audit Special Logons Based on Group Membership in Active Directory

High volumes of Active Directory logon events can make it difficult to identify sign-ins from privileged or sensitive accounts. To address this, Windows records Special Logon events when members of designated security groups sign in. By auditing these events, admins can monitor privileged account activity and detect potential threats early. In this guide, we’ll walk through how to track logons of special group members in Active Directory and monitor sensitive access more effectively.

Microsoft 365 tools

Audit Special Group Logons in Active Directory Using Event Viewer

Active Directory Permission Required
Event Log Readers Least Privilege
Administrators Most Privilege
  • Open Server Manager and navigate to Tools » Event Viewer.
  • From the left pane, navigate to Windows Logs » Security, and select Filter Current Log from the Actions pane.
  • In the filter window, enter 4964 in the All Event IDs field.
  • Now, the Event Viewer will display logon events for all members of the configured special groups in Active Directory.
  • You can double-click any event to open Event Properties page and view details such as account name, logon time, special groups assigned, and more.
Audit Special Group Logons in Active Directory Using Event Viewer

Track Special Group Members' Logons in Active Directory Using PowerShell

Active Directory Permission Required
Event Log Readers Least Privilege
Administrators Most Privilege
  • The Event Viewer method helps you retrieve special group logon events, but manually reviewing the details of each event one by one can be time-consuming.
  • To simplify this, you can use Active Directory PowerShell to export group-based special logon events in Active Directory.
  • Run the cmdlet below by replacing <OutputCSVFilePath> with the location where you want to save the Active Directory special logon report.
  • Windows PowerShell Windows PowerShell
     Get-WinEvent -FilterHashtable @{ 
        LogName = 'Security' 
        Id = 4964 
    } | Select-Object TimeCreated,@{Name='Username';Expression={$_.Properties[1].Value}},@{Name='Target User SID';Expression={$_.Properties[5].Value}},@{Name='Logon ID';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'TargetLogonId'} | Select-Object -ExpandProperty '#text'}},@{Name='Logon Machine';Expression={$_.MachineName}} | 
    Export-Csv "<OutputCSVFilePath>" -NoTypeInformation
  • The special group logons report includes details such as the logon time, username, logon ID, logon machine name, and the special groups assigned.
Track Special Group Members' Logons in Active Directory Using PowerShell

Never Miss a Sign-in from Critical Active Directory Group Members Using Special Logons!

The AdminDroid Active Directory auditing tool offers comprehensive reports and interactive dashboards for monitoring all group-based special logons in Active Directory. Beyond this, it provides insights into user logon and logoff activity, logon failures, privileged account usage, and other security events to help track sensitive account activity. Here are some key AdminDroid features to monitor and audit special group members’ logons effectively.

Review Special Privileges Logon to Identify Privilege Escalation

Monitor privilege-based Special Logon events alongside privileged group logons to identify sensitive accounts and ensure privileged access is used appropriately in your domain.

Investigate Failed Logons of Special Group Members for Suspicious Activity

Filter the failed logon events in Active Directory report by the username of a special group member to detect potential threats and secure privileged accounts against unauthorized access.

Audit Special Group Logon Table Changes to Detect Unusual Activity

View the special group changes report to monitor SpecialGroups registry modifications, as any unauthorized changes can stop privileged group logons from being recorded in your domain.

Monitor Group Membership Changes to Prevent Missed Special Logons

Leverage ready-to-use membership changes in privileged groups alert template in AdminDroid to get notified instantly whenever a special group’s membership changes, ensuring special logon auditing stays up to date.

Identify Inactive Special Group Members Using Last Logon Activity

Review the users' last logon time in Active Directory report in AdminDroid using Username filter to identify dormant privileged accounts that can be deprovisioned or removed from special groups to minimize the attack surface.

Detect Group SID Changes to Update Special Group Registry

Use the groups with SID history report to identify groups with changed SIDs after migrations and update the SpecialGroups registry with the new SIDs to maintain tracking special logon events.

Overall, AdminDroid’s Active Directory management tool offers comprehensive insights into the special logon activity of special groups. Additionally, it helps monitor privileged accounts, receive alerts on privilege escalation, and remediate inactive Active Directory user accounts to maintain continuous visibility into sensitive account activity.

Explore a full range of reporting options

Important Tips

Configure only the SIDs of essential privileged groups in the SpecialGroups Registry to reduce event flooding and improve accuracy of special logon auditing.

Limit membership in privileged groups to only users who require elevated access to improve special logon audit clarity and simplify logon analysis.

Restrict the members of special logon groups to sign in from hardened workstations only to minimize the risk of unauthorized access and lateral movement.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting tips while retrieving special group logons in Active Directory.

Error The Registry Editor cannot rename New Value #1. The specified value name already exists. Type another name and try again.

This error occurs in Registry Editor when you try to create another string value using the same name SpecialGroups.

Fix You can create only one registry value named SpecialGroups. To monitor multiple Active Directory groups, add their SIDs as semicolon-separated values in the existing entry instead of creating a new SpecialGroups value.

Error Get-WinEvent : No events were found that match the specified selection criteria.

This error occurs when there are no events available for special logon based on Active Directory group membership.

Fix If expected events are not appearing, check the following: 
  • Special group SIDs are registered in Registry Editor.
  • Special Logon auditing is enabled under Advanced Audit Policy.
  • Policy is refreshed using gpupdate /force or system restart.

If no events appear after verifying these settings, it means no matching logons have occurred yet.

Error Get-ADGroup : The term 'Get-ADGroup' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when attempting to retrieve the SID of Active Directory groups without importing the Active Directory PowerShell module.

Fix If you are running the command on a Domain Controller, the Active Directory module is already available by default, so you only need to import it. If you are running it from a workstation or member server, install RSAT and import the Active Directory module using the cmdlet below to retrieve the group details.
Import-Module ActiveDirectory
Frequently Asked Questions

Safeguard Privileged Accounts with Special Logon Auditing in Active Directory

1. What are special groups in Active Directory?

By default, every successful logon generates Event ID 4624, regardless of whether the user is a standard user or a member of a privileged group. In environments with thousands of daily logons, identifying sign-ins from high-value accounts can be time-consuming and error-prone. Special Group auditing addresses this challenge by generating a dedicated event whenever a member of a monitored group signs in.

Special groups in Active Directory

Special groups are administrator-defined Active Directory security groups whose member logons require additional monitoring. They are commonly used to track sign-ins by privileged groups such as Domain Admins, Enterprise Admins, or any custom security group.

Admins should manually define which groups should be monitored by adding their Security Identifiers (SIDs) to the SpecialGroups registry value on Windows systems.

How does group-based Special Logon auditing works?

When a user logon, Windows evaluates the user’s security token and checks whether it contains any of the configured special group SIDs.

If a match is found, Windows generates Event ID 4964 (special groups have been assigned to a new logon), indicating that the user belongs to one or more monitored groups. This dedicated event enables admins to quickly identify logons by members of selected groups without filtering through countless Event ID 4624 entries. It can also be correlated with other security events during investigations and root cause analysis.

In this way, special group auditing simplifies this process by providing a focused view of high-importance logon activity, improving visibility and reducing manual effort.

2. How to add an Active Directory group SID in the Windows registry for special logon auditing?

To enable Special Logon auditing for specific Active Directory groups, admins must manually define the SIDs groups they want to monitor in the Windows Registry. This is a critical configuration step, as only the groups whose SIDs are registered are considered during Special Logon auditing.

Below are the steps to add the SID of an Active Directory group in Windows Registry:

  • Open Registry Editor from the Start menu or press (Win+R), type regedit, and hit Enter.
  • Navigate to HKEY_LOCAL_MACHINE » SYSTEM » CurrentControlSet » Control » Lsa » Audit.
  • Right-click the Audit folder, select New » String Value, enter SpecialGroups as the string value name, and press Enter. Ensure the name is entered exactly as specified.
  • Right-click SpecialGroups, select Modify, and in the Value data box, paste the SIDs of the target Active Directory groups separated by semi-colon.
add-sid-of-ad-groups-in-registry

Note: Active Directory group SIDs differ across domains. You can retrieve the SIDs of the Active Directory groups in your environment running the below PowerShell cmdlet.

Get-ADGroup -Filter * | Select-Object Name, SID

3. How to enable special logon auditing in Active Directory?

Adding SIDs to the SpecialGroups registry value is only the first step in tracking logons by members of the configured groups. To track special logon events in Active Directory, the special logon audit policy must also be enabled. Without this audit policy, Windows will not log Event ID 4964, even if the special groups are configured.

Follow the steps below to enable the audit special logon policy in Active Directory.

  • Open the Group Policy Management console from the Start menu or press (Win + R), type gpmc.msc, and hit Enter.
  • Expand the Forest, then expand Domains. You can either edit an existing GPO or create a new GPO based on your requirement. Then, right-click the target GPO and select Edit.
  • In the Group Policy Management Editor, navigate to Computer Configuration » Policies » Windows Settings » Security Settings.
  • Under Advanced Audit Policy Configuration, expand Audit Policies and select Logon/Logoff.
  • Right-click Audit Special Logon and select Properties.
  • Enable Configure the following audit events and select Success. Click Apply and then OK. Since Special Logon events are recorded only for successful logons, auditing failure events is not required.
enable-special-logon-audit-policy-in-ad
  • The Special Logon audit policy is now enabled, and logon events will be recorded. Once enabled, every logon by a member of the specified group is recorded as a Special Logon event.

By default, Group Policy is updated every 90 minutes with a random offset. To force the policy changes to take effect immediately, run gpupdate /force in Command Prompt.

4. What is the difference between the special privileges logons and special groups logons?

Special Group Logon and Special Privilege Logon are often mistaken for the same thing in Active Directory, but they serve different purposes. Windows Security Auditing distinguishes them by monitoring two different aspects of a logon: one based on group membership and the other based on assigned user privileges.

Special groups logons identify users who belong to specific Active Directory groups that are explicitly registered for monitoring. In contrast, Special Privileges logons identify accounts that are granted sensitive privileges at the time of logon, regardless of group membership.

Let’s look at their differences in detail.

CharacteristicsSpecial Groups LogonsSpecial Privileges Logons

When it occurs

When a user logs on and their group membership SID matches a SID configured in the SpecialGroups registry value.

When a user logs on and is assigned sensitive user rights (privileges) such as SeDebugPrivilege, SeTcbPrivilege, SeBackupPrivilege, etc.

What it checks

Who you are – Identifies users based on their membership in monitored security groups.

What you can do – Identifies users based on the sensitive privileges assigned to their accounts.

Configuration required

Requires manual registration of group SIDs in the Registry along with enabling special logon audit policy.

Requires enabling of special logon auditing only.

Event ID generated

4964

4672

Typical use case

Highlight logons by privileged Active Directory group members for enhanced monitoring.

Monitor logons where high-level sensitive privileges are assigned to users to detect and prevent unauthorized privilege escalation.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs Customer Stories
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!