<div>
Most user rights are not logged by event 576 and instead are logged at the actual time they are exercised using either event 577 or 578. Get in detailed here about &nbsp;- <a href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=576" rel="ugc">Windows Security Log Event ID 576</a><br />
<br />
<a href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672" rel="ugc">Event ID 4672</a> lets you know whenever an account assigned any administrator equivalent user rights logs on. <br />
<br />
Here is another informative article to <a href="https://www.lepide.com/how-to/track-privileged-user-activities-in-active-directory.html" rel="ugc">track Privileged Users' Activities in Active Directory</a>.<br />
<br />
Hope this helps!
</div>


Lead Technical Consultant

Ganesh Anand

<div>
i am aware about the event id and need to know which process or account using the privileged logons.
</div>


<div>
<div class="content wysiwyg-content">
I see some strange logged report from SCOM 2012r2. When we ran the audit report and we see Privileged Logon report it shows the default administrator account domain\administrator account been used one of the sql server cluster nodes. When we checked there is no script or no where used this account. But the report logs in SCOM often where in the strange part is, when we checked the security logs for on the SQL node we couldn't see the 576. Any idea why does SCOM reports faking when there is no event logged on the SQL node. Please refer attachment.<br />
<br />
<a href="https://filedb.experts-exchange.com/incoming/2017/11_w45/1204603/scom.jpg" target="_blank" title="Snapshot (77 KB)"><img alt="Snapshot" class="file-block lazyload" style="max-width: 679px;" data-src="https://filedb.experts-exchange.com/incoming/2017/11_w45/1204603/scom.jpg" /></a><br />
But i found there are event logged with ID : 4634, 4672. &nbsp;I am confused why SCOM still shows 576 in the report instead of new event id's.
</div>
</div>


scom.jpg

I see some strange logged report from SCOM 2012r2. When we ran the audit report and we see Privileged Logon report it shows the default administrator account domain\administrator account been used one of the sql server cluster nodes. When we checked there is no script or no where used this account. But the report logs in SCOM often where in the strange part is, when we checked the security logs for on the SQL node we couldn't see the 576. Any idea why does SCOM reports faking when there is no event logged on the SQL node. Please refer attachment.



But i found there are event logged with ID : 4634, 4672.  I am confused why SCOM still shows 576 in the report instead of new event id's.

SCOM 2012r2 Privileged logon report shows 576 event id but not actually logged in the server

System Center Operations Manager (SCOM)

Microsoft SQL Server is a suite of relational database management system (RDBMS) products providing multi-user database access functionality.SQL Server is available in multiple versions, typically identified by release year, and versions are subdivided into editions to distinguish between product functionality. Component services include integration (SSIS), reporting (SSRS), analysis (SSAS), data quality, master data, T-SQL and performance tuning.

Microsoft SQL Server

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.