Re: logon and account logon audit events
From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: Thu, 30 Sep 2004 20:16:47 GMT
Assuming that the necessary events are enabled for auditing, when you logon
to a domain computer as a domain user an "account logon" event is recorded
in the security log on the domain controller that authenticated you and a
"logon" event is recorded in the security log of the domain computer you
If you map a share, or use Network Places to access a share on a domain
computer a "logon" event is recorded in the security log of the domain
computer itself. Few people seem to understand this correctly. --- Steve
"djc" <firstname.lastname@example.org> wrote in message
> Hey Steven,
> Thanks for the reply. Please see inline for a clarification questions. You
> also replied to a different issue I had with regard to misinformation with
> this same book. I don't know why I'm still reading it.
> "Steven L Umbach" <email@example.com> wrote in message
> > You are correct. Account logon events are recorded on the computer that
> > authenticates the user
> (ok.. yep) - domain controller for domain user and local
> > computer for local account
> (ok.. yep.. still with you). Logon events are recorded when a user
> > share
> (A: with you but with question; see below) or logs onto a domain computer
> (B: this is where I need clarificaiton: what exactly do you mean by 'logs
> onto a domain computer'?). --- Steve
> A: where would this type be logged? in the security log of the system
> running the server.exe service?
> B: what constitutes logging on to a domain computer in this context?
> up a mapped drive? navigating through network neighborhood to a server
> share? using a UNC path to a server share? When I read your response I
> like I'm with you all the way until this last part really, because 'logs
> onto a domain computer' sounds like a ctr+alt+del interactive login to me.
> I know, I'm hard headed... but I appreciated your help. I will read the
> links you provided as well. Thanks.
> > http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
> > probably better source than your book.
> > -- good book on Microsoft security.
> > "djc" <firstname.lastname@example.org> wrote in message
> > news:uDi47LxpEHA.132@TK2MSFTNGP14.phx.gbl...
> > >I just had a book tell me that Logon Events were users interactively
> > >logging
> > > onto a computer or the domain (after hitting ctr+alt+del, for example)
> > > that Account Logon events were users connecting to remote machines for
> > > resourse usage (connecting to a shared folder, for example)
> > >
> > > isn't this backwards? isn't the opposite the truth?
> > >
> > >