Fields Description
User Rights
User Right Description
SeTcbPrivilege Act as part of the operating system
SeMachineAccountPrivilege Add workstations to domain
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
SeBackupPrivilege Back up files and directories
SeChangeNotifyPrivilege Bypass traverse checking
SeSystemtimePrivilege Change the system time
SeCreatePagefilePrivilege Create a pagefile
SeCreateTokenPrivilege Create a token object
SeCreatePermanentPrivilege Create permanent shared objects
SeDebugPrivilege Debug programs
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeAuditPrivilege Generate security audits
SeIncreaseBasePriorityPrivilege Increase scheduling priority
SeLoadDriverPrivilege Load and unload device drivers
SeLockMemoryPrivilege Lock pages in memory
SeSecurityPrivilege Manage auditing and security log
SeSystemEnvironmentPrivilege Modify firmware environment values
SeManageVolumePrivilege Perform volume maintenance tasks
SeProfileSingleProcessPrivilege Profile single process
SeSystemProfilePrivilege Profile system performance
SeUndockPrivilege Remove computer from docking station
SeAssignPrimaryTokenPrivilege Replace a process level token
SeRestorePrivilege Restore files and directories
SeShutdownPrivilege Shut down the system
SeSyncAgentPrivilege Synchronize directory service data
SeTakeOwnershipPrivilege Take ownership of files or other objects
Audit policy Categories and Subcategories
Audit policy Categories that supported on Windows Server 2003:
  • Account Logon
  • Account Management
  • Detailed Tracking
  • Directory Service
  • Logon/Logoff
  • Object Access
  • Policy Change
  • Privilege Use
  • System Events
Windows Server 2008 Audit Policy can be adjusted more granularly by auditpol utility.
Windows Server 2008 and later Audit Policy Subcategories:
  • Security State Change
  • Security System Extension
  • System Integrity
  • IPsec Driver
  • Other System Events
  • Logon
  • Logoff
  • Account Lockout
  • IPsec Main Mode
  • Special Logon
  • IPsec Quick Mode
  • IPsec Extended Mode
  • Other Logon/Logoff Events
  • Network Policy Server
  • User / Device Claims
  • Group Membership
  • File System
  • Registry
  • Kernel Object
  • SAM
  • Other Object Access Events
  • Certification Services
  • Application Generated
  • Handle Manipulation
  • File Share
  • Filtering Platform Packet Drop
  • Filtering Platform Connection
  • Detailed File Share
  • Removable Storage
  • Central Access Policy Staging
  • Sensitive Privilege Use
  • Non Sensitive Privilege Use
  • Other Privilege Use Events
  • Process Creation
  • Process Termination
  • DPAPI Activity
  • RPC Events
  • Plug and Play Events
  • Token Right Adjusted Events
  • Audit Policy Change
  • Authentication Policy Change
  • Authorization Policy Change
  • MPSSVC Rule-Level Policy Change
  • Filtering Platform Policy Change
  • Other Policy Change Events
  • User Account Management
  • Computer Account Management
  • Security Group Management
  • Distribution Group Management
  • Application Group Management
  • Other Account Management Events
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
  • Credential Validation
  • Kerberos Service Ticket Operations
  • Other Account Logon Events
  • Kerberos Authentication Service
Logon Types
Logon Type Description
2 Interactive
3 Network
4 Batch
5 Service
7 Unlock
8 NetworkCleartext See this article for more information.
9 NewCredentials
10 RemoteInteractive
11 CachedInteractive
Logon Rights
System name Description
SeNetworkLogonRight Access this computer from the network
SeRemoteInteractiveLogonRight Allow logon through Terminal Services
SeDenyNetworkLogonRight Deny access to this computer from the network
SeDenyBatchLogonRight Deny logon as a batch job
SeDenyServiceLogonRight Deny logon as a service
SeDenyInteractiveLogonRight Deny logon locally
SeDenyRemoteInteractiveLogonRight Deny logon through Terminal Services
SeBatchLogonRight Log on as a batch job
SeServiceLogonRight Log on as a service
SeInteractiveLogonRight Log on locally
Kerberos Failure Codes
Failure code Kerberos RFC description
Dec Hex
1 0x01 Client's entry in database has expired
2 0x2 Server's entry in database has expired
3 0x3 Requested protocol version # not supported
4 0x4 Client's key encrypted in old master key
5 0x5 Server's key encrypted in old master key
6 0x6 Client not found in Kerberos database
7 0x7 Server not found in Kerberos database
8 0x8 Multiple principal entries in database
9 0x9 The client or server has a null key
10 0xA Ticket not eligible for postdating
11 0xB Requested start time is later than end time
12 0xC KDC policy rejects request
13 0xD KDC cannot accommodate requested option
14 0xE KDC has no support for encryption type
15 0xF KDC has no support for checksum type
16 0x10 KDC has no support for padata type
17 0x11 KDC has no support for transited type
18 0x12 Clients credentials have been revoked
19 0x13 Credentials for server have been revoked
20 0x14 TGT has been revoked
21 0x15 Client not yet valid - try again later
22 0x16 Server not yet valid - try again later
23 0x17 Password has expired
24 0x18 Pre-authentication information was invalid
25 0x19 Additional pre-authentication required*
31 0x1F Integrity check on decrypted field failed
32 0x20 Ticket expired
33 0x21 Ticket not yet valid
33 0x21 Ticket not yet valid
34 0x22 Request is a replay
35 0x23 The ticket isn't for us
36 0x24 Ticket and authenticator don't match
37 0x25 Clock skew too great
38 0x26 Incorrect net address
39 0x27 Protocol version mismatch
40 0x28 Invalid msg type
41 0x29 Message stream modified
42 0x2A Message out of order
44 0x2C Specified version of key is not available
45 0x2D Service key not available
46 0x2E Mutual authentication failed
47 0x2F Incorrect message direction
48 0x30 Alternative authentication method required*
49 0x31 Incorrect sequence number in message
50 0x32 Inappropriate type of checksum in message
60 0x3C Generic error (description in e-text)
61 0x3D Field is too long for this implementation
NTLM Failure Codes
Failure code Error Description
Dec Hex
3221225572 0xC0000064 The user name does not exist
3221225578 0xC000006A The user name is correct but the password is wrong
3221226036 0xC0000234 The user is currently locked out
3221225586 0xC0000072 The account is currently disabled
3221225583 0xC000006F The user tried to logon outside his day of week or time of day restrictions
3221225584 0xC0000070 The user tried to log on outside the user's workstation restrictions
3221225875 0xC0000193 The user account has expired
3221225585 0xC0000071 The user tried to log on with an expired password
3221226020 0xC0000224 The user tried to log on with an account on which the administrator has selected the User must change password at next logon option
Ticket Encryption Types
Etype Value Encryption Type Name Explanation
RFC Notation Microsoft Notation
23 rc4-hmac KERB_ETYPE_RC4_HMAC_NT (also RC4_HMAC_MD5 or simply RC4-HMAC) RC4 stream cipher with a hash-based Message Authentication Code (MAC), as used by Windows
-133 n/a KERB_ETYPE_RC4_HMAC_OLD n/a
-128 n/a KERB_ETYPE_RC4_MD4 RC4 stream cipher with the MD4 hash function
3 des-cbc-md5 KERB_ETYPE_DES_CBC_MD5 DES encryption in cipher-block-chaining mode with a MD5 checksum
1 des-cbc-crc KERB_ETYPE_DES_CBC_CRC DES encryption in cipher-block-chaining mode with a CRC-32 checksum
18 aes256-cts-hmac-sha1-96 KERB_ETYPE_AES256_CTS_HMAC_SHA1_96 n/a