Re: logon and account logon audit events

From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: 09/30/04


Date: Thu, 30 Sep 2004 20:16:47 GMT

Assuming that the necessary events are enabled for auditing, when you logon
to a domain computer as a domain user an "account logon" event is recorded
in the security log on the domain controller that authenticated you and a
"logon" event is recorded in the security log of the domain computer you
logged onto.

If you map a share, or use Network Places to access a share on a domain
computer a "logon" event is recorded in the security log of the domain
computer itself. Few people seem to understand this correctly. --- Steve

"djc" <noone@nowhere.com> wrote in message
news:usxlK3xpEHA.4004@TK2MSFTNGP10.phx.gbl...
> Hey Steven,
> Thanks for the reply. Please see inline for a clarification questions. You
> also replied to a different issue I had with regard to misinformation with
> this same book. I don't know why I'm still reading it.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:WIX6d.82369$wV.39078@attbi_s54...
> > You are correct. Account logon events are recorded on the computer that
> > authenticates the user
> (ok.. yep) - domain controller for domain user and local
> > computer for local account
> (ok.. yep.. still with you). Logon events are recorded when a user
accesses
> a
> > share
> (A: with you but with question; see below) or logs onto a domain computer
> (B: this is where I need clarificaiton: what exactly do you mean by 'logs
> onto a domain computer'?). --- Steve
>
> A: where would this type be logged? in the security log of the system
> running the server.exe service?
> B: what constitutes logging on to a domain computer in this context?
opening
> up a mapped drive? navigating through network neighborhood to a server
> share? using a UNC path to a server share? When I read your response I
feel
> like I'm with you all the way until this last part really, because 'logs
> onto a domain computer' sounds like a ctr+alt+del interactive login to me.
>
> I know, I'm hard headed... but I appreciated your help. I will read the
> links you provided as well. Thanks.
>
> >
> > http://www.microsoft.com/technet/security/guidance/secmod144.mspx --
> > probably better source than your book.
> >
>
http://www.amazon.com/exec/obidos/ASIN/0735618682/qid%3D1030669239/sr%3D11-1/ref%3Dsr%5F11%5F1/104-2211302-2359957
> > -- good book on Microsoft security.
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:uDi47LxpEHA.132@TK2MSFTNGP14.phx.gbl...
> > >I just had a book tell me that Logon Events were users interactively
> > >logging
> > > onto a computer or the domain (after hitting ctr+alt+del, for example)
> and
> > > that Account Logon events were users connecting to remote machines for
> > > resourse usage (connecting to a shared folder, for example)
> > >
> > > isn't this backwards? isn't the opposite the truth?
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: auditing logons - someone please clear this #@#$! up.
    ... Probably the best short explanation I have heard is that "account logon" ... domain controller that authenticates the user while "logon" events will be ... security log of the domain computer [assuming auditing of "logon" events is ...
    (microsoft.public.win2000.security)
  • Re: auditing logons - someone please clear this #@#$! up.
    ... > Probably the best short explanation I have heard is that "account logon" ... > "logon" events are created where the account is used. ... > domain controller that authenticates the user while "logon" events will be ... > security log of a domain controller that is usually showing not that the ...
    (microsoft.public.win2000.security)
  • Re: How can I audit when a user logs on/off his workstation?
    ... his workstation but the security log on the DC doesn't seem to provide the ... noticed that the user names have an Account Logon event at hours when I ... Account Logon Auditing (really misnamed as it is Domain AUTHENTICATION ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active AD users?
    ... users/table you can add attributes for last logon time and logon server. ... local accounts on domain computers and are not in the local administrators group ... are finding "account logon" events in the security log on domain computers, ...
    (microsoft.public.win2000.networking)
  • Re: Tracking unauthorized access to my computer
    ... Remote Desktop. ... The user name, logon type, and time can give you an idea who is ... Also look at your own logon events for your user account ... I would also increase the size of the security log to like ...
    (microsoft.public.security)