Re: windows 2000 lock workstation auditing
From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 03/13/03
- Next message: news.microsoft.com: "Re: Very good break in"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Desription of Security Eventlog Entry "Caller Logon ID""
- In reply to: J Bowers: "windows 2000 lock workstation auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> Date: Thu, 13 Mar 2003 13:32:06 -0800
No events are logged when a workstation is locked. We will be changing that
in the Longhorn release. You see a logon and logoff event at unlock, as we
use a call to LogonUser() to validate the user's password at unlock, and
then destroy the resultant, unneeded logon session.
Eric
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "J Bowers" <jbowers@nospam.analytika.com> wrote in message news:0d7901c2e7f5$afff40a0$7d02280a@phx.gbl... > I've been searching for information about a problem I'm > having. I need to see the time when a workstation is > locked. Auditing is enabled, but I only get both the 528 > and 538 events when the machine is unlocked. Nothing is > logged when it is locked. > > I've found one reference that matches my problem, but with > no reason given for the problem, status of it, or fixes > available. > > Thanks for any help, > Jeremy
- Next message: news.microsoft.com: "Re: Very good break in"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Desription of Security Eventlog Entry "Caller Logon ID""
- In reply to: J Bowers: "windows 2000 lock workstation auditing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
