Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Policy Change->EventID 609 - User Right Removed
EventID 609 - User Right Removed

This event record indicates that a specific right assigned to the identified user was successfully removed on the computer where event was logged.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008
     Sample: 
    Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change
Event ID:       609
Date:           10/26/2009
Time:           07:41:23
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
User Right Removed:
	User Right:	SeTcbPrivilege
	Removed From:	RESEARCH\WGale
	Removed By:
	  User Name:	Alebovsky
	  Domain:		RESEARCH
	  Logon ID:	(0x0,0x59DF36)
    Log Type: Windows Event Log
     Uniquely Identified By:
    Log Name: Security
    Filtering Field Equals to Value
    OSVersion Windows 2000
    Windows XP
    Windows 2003
    Category Policy Change
    Source Security
    EventId 609
    Field Matching
    FieldDescriptionStored inSample Value
    DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
    Source Name of an Application or System Service originating the event. Source Security
    Type Warning, Information, Error, Success, Failure, etc. Type Success
    User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
    Computer Name of server workstation where event was logged. Computer DC1
    EventID Numerical ID of event. Unique within one Event Source. EventId 576
    Description The entire unparsed event message. Description Special privileges assigned to new logon.
    Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
    Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
    User Right System name of the right revoked. Please see user right descriptions here. InsertionString1 SeTcbPrivilege
    Removed From The user or group from who the right was revoked, prefixed by domain name InsertionString2 RESEARCH\WGale
    Removed By: User Name The user who removed the right. Normally the computer name where the right was removed. InsertionString3 ALebovsky
    Removed By: Domain Domain of the "Removed by" InsertionString4 RESEARCH
    Removed By: Logon ID ID of the logon session of the user who removed the right. Useful for tracking other user activity during the same logon session. InsertionString5 (0x0,0x59DF36)
    Comments
    You must be logged in to comment