
The new logon session has the same local identity, but uses different credentials for other network connections.) NewCredentials -(A caller cloned its current token and specified new credentials for outbound connections. The credentials do not traverse the network in plaintext (also called cleartext).) The built-in authentication packages all hash credentials before sending them across the network.
#User logon activity audit password
The user’s password was passed to the authentication package in its unhashed form. NetworkCleartext -(A user logged on to this computer from the network. Service -(A service was started by the Service Control Manager.) Network -(A user or computer logged on to this computer from the network.)īatch -(Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.) Interactive -(A user logged on to this computer.) The following table lists the Logon Types for the Events IDs 4624, 4634. Logon/Logoff EventsĪ user successfully logged on to a computer.Ī user has reconnected to a disconnected terminal server session.Ī user disconnected a terminal server session without logging off. The following table lists the Event IDs which are logged under the category Audit logon events. We can correlate these two events by Logon ID and find the Logon duration of the user Admin. By using these events we can track user’s logon duration by mapping logon and logoff events with user’s Logon ID which is unique between user’s logon and logoff events.įor example, If the user ‘ Admin‘ logon at the time 10 AM, we will get the following logon event: 4624 with Logon ID like 0x24f6Īnd if he logoff the system at the time 6 PM, we will get the logoff event either 4634 or 4647 ( Interactive and RemoteInteractive (remote desktop) logons) with the same Logon ID 0x24f6. On DCs, this policy records attempts to access the DC only. The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. This security setting determines whether to audit each instance of a user logging on to or logging off from a computer. The domain controller attempted to validate the credentials for an account.
#User logon activity audit windows
This event is not generated in Windows XP or in the Windows Server 2003 family.Īn account was successfully mapped to a domain account. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.Ī TGS ticket was not granted.

Account Logon EventsĪn authentication service (AS) ticket was successfully issued and validated.Ī ticket granting service (TGS) ticket was granted.Ī security principal renewed an AS ticket or TGS ticket. The following table lists the Event IDs which are logged under the category Audit account logon events. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM The event is logged in the Domain Controller‘s security log. Account logon events are generated when a domain user account is authenticated on a domain controller. This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Note: See also these articles Enable logon and logoff events via GPO and Track logon and logoff activity These events are controlled by the following two group/security policy settings.



The user’s logon and logoff events are logged under two categories in Active Directory based environment.
