PowerTip: Audit Special Privilege Use with PowerShell

Summary: Learn how to audit special privilege use with Windows PowerShell.

 How can I easily find information about auditing special privileges that are assigned to various logon IDs if I am running Windows 8 and Windows Server 2012?

 Start Windows PowerShell with Admin rights. Use the Get-EventLog cmdlet to query the security event log, look for InstanceID 4672, and select TimeWritten and Message. To make it easier to read, use Format-Table, and autosize and wrap the entries:

PS C:\> Get-EventLog security -InstanceId 4672 -newest 20| ft timewritten, message -auto -wr

TimeWritten           Message

-----------           -------

6/19/2013 12:03:01 PM Special privileges assigned to new logon.

                      Subject:

                          Security ID:        S-1-5-18

                          Account Name:        SYSTEM

                          Account Domain:        NT AUTHORITY

                          Logon ID:        0x3e7

                      Privileges:        SeAssignPrimaryTokenPrivilege

                                  SeTcbPrivilege

                                  SeSecurityPrivilege

                                  SeTakeOwnershipPrivilege

                                  SeLoadDriverPrivilege

                                  SeBackupPrivilege

                                  SeRestorePrivilege

                                  SeDebugPrivilege

                                  SeAuditPrivilege

                                  SeSystemEnvironmentPrivilege

                                  SeImpersonatePrivilege