Links

windows/security/threat-protection/auditing/event-4908.md

@@ -16,10 +16,9 @@ ms.technology: windows-sec
 
 # 4908(S): Special Groups Logon table modified.
 
+:::image type="content" source="images/event-4908.png" alt-text="Event 4908 illustration":::
 
-<img src="images/event-4908.png" alt="Event 4908 illustration" width="449" height="361" hspace="10" align="left" />
-
-***Subcategory:***&nbsp;[Audit Policy Change](audit-audit-policy-change.md)
+***Subcategory:*** [Audit Policy Change](audit-audit-policy-change.md)
 
 ***Event Description:***
 
@@ -29,18 +28,16 @@ This event also generates during system startup.
 
 This event is always logged regardless of the "Audit Policy Change" sub-category setting.
 
-More information about Special Groups auditing can be found here:
+For more information about Special Groups auditing, see [4908(S): Special Groups Logon table modified](/windows/security/threat-protection/auditing/event-4908).
 
-<https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx>
-
-</windows/security/threat-protection/auditing/event-4908>
-
-> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
 <br clear="all">
 
 ***Event XML:***
-```
+
+```xml
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 - <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
@@ -75,11 +72,12 @@ More information about Special Groups auditing can be found here:
 
 **Special Groups** \[Type = UnicodeString\]**:** contains current list of SIDs (groups or accounts) which are members of Special Groups. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+> [!NOTE]
+> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
 
 “HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Audit\\SpecialGroups” registry value contains current list of SIDs which are included in Special Groups:
 
-<img src="images/registry-editor-audit.png" alt="Registry Editor Audit key illustration" width="1440" height="335" />
+:::image type="content" source="images/registry-editor-audit.png" alt-text="Registry Editor Audit key illustration":::
 
 ## Security Monitoring Recommendations