Re: Detecting user logon logoff

On the DC, you should find a 680 (NTLM) or a 672 (Kerberos) when the
credentials are validated.
The header might indicate SYSTEM but the content should indicate for which
user.
From msaudite.h:
//
//
// SE_AUDITID_ACCOUNT_LOGON
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
// Type: Success / Failure
//
// Description: This audits a logon attempt. The audit appears on the DC.
// This is generated by calling LogonUser.
//
//
//
// MessageId: SE_AUDITID_ACCOUNT_LOGON
//
// MessageText:
//
// Logon attempt by: %1%n
// Logon account: %2%n
// Source Workstation: %3%n
// Error Code: %4%n
//
#define SE_AUDITID_ACCOUNT_LOGON ((ULONG)0x000002A8L)


//
//
// SE_AUDITID_AS_TICKET
//
// Category: SE_CATEGID_ACCOUNT_LOGON
//
// Parameter Strings -
//
// 1 - User name of client
//
// 2 - Supplied realm name
//
// 3 - SID of client user
//
// 4 - User name of service
//
// 5 - SID of service
//
// 6 - Ticket Options
//
// 7 - Failure code
//
// 8 - Ticket Encryption Type
//
// 9 - Preauthentication type (i.e. PK_INIT)
//
// 10 - Client IP address
//
//
// MessageId: SE_AUDITID_AS_TICKET
//
// MessageText:
//
// Authentication Ticket Request:%n
// %tUser Name:%t%t%1%n
// %tSupplied Realm Name:%t%2%n
// %tUser ID:%t%3%n
// %tService Name:%t%t%4%n
// %tService ID:%t%t%5%n
// %tTicket Options:%t%t%6%n
// %tResult Code:%t%t%7%n
// %tTicket Encryption Type:%t%8%n
// %tPre-Authentication Type:%t%9%n
// %tClient Address:%t%t%10%n
//
#define SE_AUDITID_AS_TICKET ((ULONG)0x000002A0L)

No logoff event is generated on the DC.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]


"Nadir" wrote:

No

Infact I am getting 680 but that is not against my member machine and user
name. In DC event log i am not getting any event 680 against the user i used
to log in from my AD member machine. My concern is very simple, how can i
tell from DC's event log that some one logged on a member machine, and when
did he log off.

Regards

Tariq

"Eric Perlin [MSFT]" <EricPerlinMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:6C957335-B5B7-4547-B88A-C752B59714D2@xxxxxxxxxxxxxxxx
Oops, it looks like I read the question a little too fast!
Anyway, I believe you're looking at network logon events (accessing shares
for logon/logoff scripts and maybe group policy).
The interactive logon should occur first (event 680?).
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Eric Perlin [MSFT]


"Nadir" wrote:

Eric

The issue is that W2k3 machine is a DC and i am trying to figure out who
is
lgging in and out on that DC. But when i login on a member machine once i
get multiple logon events (540) and also even though i havent logged of,
i
get many logoff events (538) for the same user way. Another strange
behaviour is that when i logoff on a member machine i get another logon
and
then logff. This is really strange.

I juat want to know who logged on to DC and when he logged off :(, but
event
viewere has no hint in its events, instead it is mixing up things.

Thanks

Nadir Tariq

"Eric Perlin [MSFT]" <EricPerlinMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:0B09B137-CCBD-4A39-B2B3-65018AB2FAA3@xxxxxxxxxxxxxxxx
What you're seeing are probably artifacts of the optimized logon (a
cached
logon first, followed by async logon hitting the DC). When the second
logon
succeeds, the token is closed right away and this generates a "logoff"
event.
Assuming you're doing this from a service, the easiest way to monitor
logon/logoff is to register for TS notifications (specify
SERVICE_ACCEPT_SESSIONCHANGE during the call to SetServiceStatus).
You'll
then receive notifications in your service control handler. They
contain
the
session id in which the event happened. You can use WTS APIs to query
more
data about the user who logged on.
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Eric Perlin [MSFT]


"Nadir" wrote:

Hi

On windows 2k3 server, i was exploring the event log to see when a
user
logged in and when a user actually logged off but was shocked by the
results.

I used a windows XP based machine to logon to domain controller using
user
name user1 and when i saw the log at the domain controller
corresponding
to
this login, i was multiple logon events (540) in the event log. Also
these
were some lofoff events for the user as well although i never logged
out
of
the XP machine. surprises

Can any body explain why is this happening and how i can get the exact
event
for an interactive logon and logoff, using which events on a domain
controller.

Thanks

Tariq









.

Relevant Pages

  • Re: Detecting user logon logoff
    ... Infact I am getting 680 but that is not against my member machine and user ... In DC event log i am not getting any event 680 against the user i used ... The interactive logon should occur first. ... I used a windows XP based machine to logon to domain controller using ...
    (microsoft.public.platformsdk.security)
  • Re: Detecting user logon logoff
    ... get multiple logon events and also even though i havent logged of, ... get many logoff events for the same user way. ... i was exploring the event log to see when a user ... I used a windows XP based machine to logon to domain controller using ...
    (microsoft.public.platformsdk.security)
  • Re: Log File Fill Automatically
    ... clear the security log after logon by administrator. ... after the logoff my user. ... Check the settings for the Security Event Log. ...
    (microsoft.public.win2000.active_directory)
  • Re: Disabling Domain Logon from Remote Domain
    ... authenticated users and replace that with domain users from the child domain ... > specifying which system he can use to logon. ... > on to his home domain from any member machine in his home domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please Help
    ... In an Active Directory setup I use logon and logoff scripts that log the ... Use the Event logs. ...
    (microsoft.public.windows.server.active_directory)
Quantcast