Event Details
User Activity->Policy Changes->User Rights Assignment->Windows 2000-2003->EventID 622 - System Security Access Removed
EventID 622 - System Security Access Removed
 Sample: 
Event Type:     SuccessAudit
Event Source:   Security
Event Category: Policy Change
Event ID:       622
Date:           10/26/2009 12:00:00 AM
Time:           07:41:24
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
System Security Access Removed:

	Access Removed:	SeServiceLogonRight

	Account Modified:	{S-1-5-21-184992632-1607737289-1287950321-1185}

	Removed By:

	  User Name:	Alebovsky

	  Domain:		RESEARCH

	  Logon ID:	(0x0,0x59DF36)
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Windows XP
Category Policy Change
Source Security
EventId 622
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 12/14/2009 6:59:09 AM
Who Account or user name under which the activity occured. User Name Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Policy Change" Policy Change
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Domain RESEARCH
WhereDomain -
Policy Name The name of the affected policy. "User Rights Removal" User Rights Removal
User Right The list of assigned or removed user rights Access Removed
Whom Account name of the user to/from whom the right was assigned/removed Account Modified {S-1-5-21-184992632-1607737289-1287950321-1185}
Comments
You must be logged in to comment