Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 672 - Authentication Ticket Granted [Win 2000]
EventID 672 - Authentication Ticket Granted [Win 2000]
Indicates that the authentication ticket was granted to a user or computer account requesting it.
In other words, this event indicates a successful user/computer initial domain logon.

Note: 
Logged only on domain controllers.
On Windows 2000 the EventID 672 indicates only authentication ticket grants, whereas failures to serve the authentication ticket request are indicated by EventID 676

Some fields provide codes as values. Refer to the following links in order to see their human-readable descriptions: Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other Windows versions:
Windows 2003
 Windows 2008
Related events:
 Sample: 
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Logon
        Event ID:       672
        Date:           11/13/2009
        Time:           11:32:59
        User:           NT AUTHORITY\SYSTEM
        Computer:       DCCC1
        Description:
        Authentication Ticket Granted:
        User Name:		Paul
        Supplied Realm Name:	LOGISTICS
        User ID:	%{S-1-5-21-746137067-343818398-839522115-1143}
        Service Name:		krbtgt
        Service ID:		%{S-1-5-21-746137067-343818398-839522115-502}
        Ticket Options:		0x40810010
        Ticket Encryption Type:	0x17
        Pre-Authentication Type:	2
        Client Address:		127.0.0.1
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Category Account Logon
Source Security
EventId 672
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
User Name Account name of the user/computer requesting the ticket InsertionString1 Paul
Supplied Realm Name User/computer account's DNS suffix InsertionString2 LOGISTICS
User ID Account name in the following format: domain name\account name InsertionString3 %{S-1-5-21-746137067-343818398-839522115-1143}
Service Name The account name of the service distributing tickets, e.g. krbtgt InsertionString4 krbtgt
Service ID The account name of the service distributing tickets in the following format: domain name\service account name InsertionString5 %{S-1-5-21-746137067-343818398-839522115-502}
Ticket Options A hexadecimal number representing the Key Distribution Center (KDC) Option flags that were used or requested when the ticket was issued. KDC Option flags include information such as whether a ticket can be forwarded or renewed. The number in the Ticket Options field is a bit mask. InsertionString6 0x40810010
Ticket Encryption Type The code for the Kerberos encryption type (etype) used in the ticket request. Please find the code descriptions here. InsertionString7 0x17
Pre-Authentication Type The code for the type of pre-authentication. InsertionString8 2
Client Address The IP address of the computer that sent the ticket request. If the request was made locally, then the address will be listed as 127.0.0.1. InsertionString9 127.0.0.1
Comments
You must be logged in to comment