Re: Logon Type Identification

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 09/28/05

• Next message: James Knott: "Re: Why IP address is fixed everytime connected to the Internet?"
• Previous message: James Knott: "Re: Why IP address is fixed everytime connected to the Internet?"
• Maybe in reply to: Steven L Umbach: "Re: Logon Type Identification"
• Next in thread: Cindy: "Re: Logon Type Identification"
• Reply: Cindy: "Re: Logon Type Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 Sep 2005 12:15:04 -0500

It does not mean that the user had changed his password - just unlocked the
operating system. Often the screen savers is configured to do this
automatically after a period of idle time or the user locked his computer to
protect access to it using his user account using control-alt-delete - lock
computer. --- Steve

"Cindy" <Cindy@discussions.microsoft.com> wrote in message
news:63815DDC-B183-4A30-B147-5C629055A52D@microsoft.com...
> Thanks, it was a laptop and users use domain cached logons. Additional
> information|user does not show password change near this time. I will
> have
> to talk with user when he gets back in town. "Steven L Umbach" wrote:
>
>> The link below will help. Type 7 means someone unlocked their computer
>> and
>> type 11 is a cached interactive logon which could be of concern unless it
>> is
>> found on laptop computers not connected to the domain. Cached logon means
>> the user logged onto their computer with domain credentials even though a
>> domain controller could not be contacted. For local network computers
>> this
>> could mean a network connectivity problem, dns misconfiguration for the
>> domain controller or domain client, or the user may have intentionally
>> unplugged their network cable to bypass logon/startup scripts and Group
>> Policy refresh. Cached domain logons can be disabled via security
>> olicy. --- Steve
>>
>> http://www.windowsecurity.com/articles/Logon-Types.html
>>
>> Logon Type 7 - Unlock
>> Hopefully the workstations on your network automatically start a password
>> protected screen saver when a user leaves their computer so that
>> unattended
>> workstations are protected from malicious use. When a user returns to
>> their
>> workstation and unlocks the console, Windows treats this as a logon and
>> logs
>> the appropriate Logon/Logoff event but in this case the logon type will
>> be
>> 7 - identifying the event as a workstation unlock attempt. Failed logons
>> with logon type 7 indicate either a user entering the wrong password or a
>> malicious user trying to unlock the computer by guessing the password.
>>
>> Logon Type 11 - CachedInteractive
>> Windows supports a feature called Cached Logons which facilitate mobile
>> users. When you are not connected to the your organization's network and
>> attempt to logon to your laptop with a domain account there's no domain
>> controller available to the laptop with which to verify your identity. To
>> solve this problem, Windows caches a hash of the credentials of the last
>> 10
>> interactive domain logons. Later when no domain controller is available,
>> Windows uses these hashes to verify your identity when you attempt to
>> logon
>> with a domain account.
>>
>>
>>
>>
>> "Cindy" <Cindy@discussions.microsoft.com> wrote in message
>> news:8969FBAA-4CF8-4557-B68C-8C1C73E561F0@microsoft.com...
>> > Hi:
>> > I would like to know what the different logon type numbers in logon
>> > events.
>> > I know Type2 is interactive logon but type 7 and 11 also show up in
>> > event
>> > logs on one of our laptops. I am not looking for the Event numbers,
>> > rather
>> > what type of logon was attempted by the different logon type #s.
>> >
>> > I searched Technet but could only find event numbers for that type 2
>> > was
>> > interactive logon.
>> >
>> > Thanks,
>>
>>
>>

• Next message: James Knott: "Re: Why IP address is fixed everytime connected to the Internet?"
• Previous message: James Knott: "Re: Why IP address is fixed everytime connected to the Internet?"
• Maybe in reply to: Steven L Umbach: "Re: Logon Type Identification"
• Next in thread: Cindy: "Re: Logon Type Identification"
• Reply: Cindy: "Re: Logon Type Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: LogonUser() with LOGON32_LOGON_UNLOCK problem ... LOGON_UNLOCK is for GINA's performing unlocks. ... to Interactive logon in terms of logon rights. ... have interactive logon rights, you'll get this error. ... This logon type can generate a unique audit record that shows ... (microsoft.public.platformsdk.security) Re: Auditing User logon/logoff events. ... u say in the document like i enabled "Account logon events" only in domain ... Then i am getting 672,673 event ids in my domain controllers event viewer. ... can see this log in domain controller security log. ... (microsoft.public.win2000.security) Re: remote desktop rights on domain controller ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ... (microsoft.public.windows.server.security) Re: How to remove a cached password? ... See if another domain user can logon to it or not, ... a domain controller is that it has incorrect dns settings. ... The login used on the laptop is the same ... (microsoft.public.windowsxp.security_admin) Re: Why allow log on locally" is not configured by default?? ... To logon locally you would have to be sitting in front of the console or use ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint