From test I did, it does not capture information pertaining to grant/deny connection and enable/disable the login. Now if you add/remove an user from a database it does capture that. I would expect to capture the instance level information would require C2 Audit to be enabled, or custom server-side trace. You don't specify the version of SQL Server you are working with but if you are using anything above SQL Server 2008 I would highly suggest looking into [SQL Audit]. **Edit** It appears as John has pointed out that the default trace is selective in what GRANT commands it captures pertaining to a login. Which seems odd to me, that is why I don't usually depend on the default trace for this information. :
We are using Microsoft SQL Server 2008 (SP2) - 10.0.4000.0 (X64) Sep 16 2010 19:43:16 Copyright (c) 1988-2008 Microsoft Corporation Enterprise Edition (64-bit) on Windows NT 6.0 (Build 6002: Service Pack 2) We manage SQL clusters in a datawarehouses, so I was interested in using default trace to diagnose security issues. Many thanks for all your help.