Description of the Special Groups feature in Windows Vista and in Windows Server 2008

Special Groups is a new feature in Windows Vista and in Windows Server 2008. The Special Groups feature lets an administrator set a list of group security identifiers (SIDs) in the registry. An audit event is logged in the Security log if the following conditions are true:

Any of the group SIDs is added to an access token when a group member logs on.

Note An access token contains the security information for a logon session. Also, the token identifies the user, the user’s groups, and the user’s rights.

In the audit policy settings, the Special Logon feature is enabled.

The Special Groups feature enables the administrator to find out when a member of a certain group logs on to the computer.


Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

To specify the list of the special groups, add the SpecialGroups registry entry. To do this, follow these steps:

1. Click Start, type regedit in the Start Search box, and then press ENTER.

Note If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.

2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit
3. On the Edit menu, point to New, and then click String Value.
4. Type SpecialGroups, and then press ENTER.
5. Right-click SpecialGroups, and then click Modify.
6. In the Value date box, type the group SIDs, and then click OK.


A semicolon character (;) can be used to delimit the SID list. For example, you can use the following string that contains a semicolon to delimit two SIDs:


There is no restriction on the number of SIDs that you can enter in the Value date box.
7. Exit Registry Editor.

When a user logs on, the Special Groups feature checks whether the SIDs in the access token belong to a special group. If the user belongs to one or more special groups, an audit event is logged in the Security event log that resembles the following event:

Event ID: 4964
Special groups have been assigned to a new logon.
Security ID: Computer SID
Account Name: Computer Name
Account Domain: Computer Account Domain
Logon ID: Computer Logon ID
Logon GUID: Computer Logon GUID

New Logon:
Security ID: User SID
Account Name: User Account Name
Account Domain: User Account Domain
Logon ID: User Logon ID
Logon GUID: User Logon GUID
Special Groups Assigned: Group SID

Windows Vista Enterprise 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business
Windows Vista Business 64-bit Edition
Windows Vista Enterprise
Windows Vista Ultimate
Windows Server 2008, Datacenter
Windows Server 2008 for Itanium-Based Systems


Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

To prove that you're not a bot, enter this code
Anti-Spam Image