Event-o-Pedia EventID 576 - Special privileges assigned to new logon

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Privilege Use->EventID 576 - Special privileges assigned to new logon

EventID 576 - Special privileges assigned to new logon

Indicates that a privilege that is not auditable on an individual-use basis has been assigned to a user's security context at logon.

Note:
Some privileges are used so frequently that auditing their every use would flood the audit log with useless noise. For example, SeChangeNotifyPrivilege is also used to bypass traverse access checking. This privilege is granted to all users in a normal system configuration and is used multiple times for each file opened. This audit event record is intended to warn an administrator that such a privilege has been assigned.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008

EventID 4672 - Special privileges assigned to new logon

Related events:

This event is normally preceded by one of the following events:

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Privilege Use
        Event ID:       576
        Date:           10/26/2009
        Time:           07:31:44
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Description:
        Special privileges assigned to new logon:
        User Name:	DC1$
        Domain:		RESEARCH
        Logon ID:		(0x0,0x60F7C2)
        Privileges:	SeSecurityPrivilege
        SeBackupPrivilege
        SeRestorePrivilege
        SeTakeOwnershipPrivilege
        SeDebugPrivilege
        SeSystemEnvironmentPrivilege
        SeLoadDriverPrivilege
        SeImpersonatePrivilege
        SeEnableDelegationPrivilege

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2000 Windows XP Windows 2003
Category	Privilege Use
Source	Security
EventId	576

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Privileges	The list of assigned privileges	InsertionString4	SeSecurityPrivilege
Domain	Domain of the user logging in	InsertionString2	RESEARCH
Logon ID	ID of the logon session. Useful for tracking other user activity during the same logon session.	InsertionString3	(0x0,0x60F7C2)
User Name	Account name of the user logging in	InsertionString1	DC1$