We help IT Professionals succeed at work.

SCOM 2012r2 Privileged logon report shows 576 event id but not actually logged in the server

I see some strange logged report from SCOM 2012r2. When we ran the audit report and we see Privileged Logon report it shows the default administrator account domain\administrator account been used one of the sql server cluster nodes. When we checked there is no script or no where used this account. But the report logs in SCOM often where in the strange part is, when we checked the security logs for on the SQL node we couldn't see the 576. Any idea why does SCOM reports faking when there is no event logged on the SQL node. Please refer attachment.

But i found there are event logged with ID : 4634, 4672.  I am confused why SCOM still shows 576 in the report instead of new event id's.
Watch Question

E ATech Lead

Most user rights are not logged by event 576 and instead are logged at the actual time they are exercised using either event 577 or 578. Get in detailed here about  - Windows Security Log Event ID 576

Event ID 4672 lets you know whenever an account assigned any administrator equivalent user rights logs on.

Here is another informative article to track Privileged Users' Activities in Active Directory.

Hope this helps!
Ganesh AnandLead Technical Consultant


i am aware about the event id and need to know which process or account using the privileged logons.
Lead Technical Consultant
NO solution yet for this but this issue was not raised hence closing this request