Re: Auditing User logon/logoff events.

From: Varadarajam (Varadarajam_at_discussions.microsoft.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 07:39:04 -0700

Hi Steven

Thanks for your response.

Unfortunately i couldn't able to find what i need.. Actually i did what did
u say in the document like i enabled "Account logon events" only in domain
controller security policy for success and failure, and In "Audit logon
Events" i enabled for failure only like what did u say.

For the Users group policy i enabled Audit logon events for sucess and
failure both..

Then i am getting 672,673 event ids in my domain controllers event viewer.

672 is for "authentication ticket granted", authentication type is 2. Here
what did find his when any user is logging fromt their client machine then i
can see this log in domain controller security log. Immediately i am finding
673 events 3 more for the same user.. 673 is for "service ticket granted"..
For logging off i am finding any log

And suppose if the client lock the system and went away and again he will
logon the system then i should able find the log in my domain controller
event viewer.

And in the client computer event viewer i am not finding any thing in the
security log after i did like above..

How about 528 and 529 events..Those are for what ?

Actually i am fighting with this for the past 15 days. But there is no luck
till to now..

Pls help me Steven.. Waiting for your reply.

Thanks

Varadarajam.

"Steven L Umbach" wrote:

> What you want to do is to enable auditing of "account logon events" in
> Domain Controller Security Policy" and either do not use auditing of "logon
> events" there or just enable it for failure. Auditing of account logon
> events will record when users logon to the domain. Logon events would only
> show type 3 network logons to the domain controller for when a user/computer
> access a share on the domain controller such as the sysvol share. However
> auditing of account logon events will only display logons for the users -
> not logoffs. To track user logons and logoffs from specific domain computers
> you will need to enable auditing of "logon events" on those domain computers
> which can be done via Group Policy. Those logon/logoff events would be
> recorded in the local security logs of the domain computers. The link below
> may be of help. --- Steve
>
> http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
>
>
> "Varadarajam" <Varadarajam@discussions.microsoft.com> wrote in message
> news:2F321DCC-6FA4-4570-86D9-9A1491682400@microsoft.com...
> > Hi
> >
> > I have one Domain controller, one ADC with Win2000 Server with SP4 and
> > others are some clients having win2000 professional OS with SP4.
> >
> > What is my intention is, i need to track the User login and logoff
> > information when the users logon / logoff from their client machines then
> > i
> > should able to see the user logon / logoff information in my Domain
> > controller Event Viewer.
> >
> > For that i did enable the "audit logon events" in my Domain Controller -->
> > Domain controller Security Policy --> security settings --> local policies
> > --> audit policy..
> >
> > Then i found some event logs in Domain controller Security event viewers
> > having event ids 540 and 538. 540 is the successful network logon and 538
> > is
> > for logoff.
> > After 540 event id, immediately its showing 538 event id. I got very
> > confused about this.. And also i found in some websites they mentioned
> > like
> > 528 for user login and 529 is for user logoff.. But i am not finding those
> > event ids in my Domain controller event viewer.
> >
> > I am trying to solve this issue for a long time. But till to now there is
> > no
> > luck.. If any one knows about this kindly pls inform me.. Thanks in
> > Advance.
> >
> > Varadarajam.P.V.
>
>
>

Relevant Pages

  • Re: Workstation Hang on running startup scripts
    ... Computer Configuration, Administrative Templates, System, Logon, in the right pane "Always wait for the network at computer startup and logon" ... Looking in the event viewer on the workstations they have a a netlogin ... event ID 5719 (no domain controller is available), ...
    (microsoft.public.windows.server.networking)
  • Re: remote desktop rights on domain controller
    ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ...
    (microsoft.public.windows.server.security)
  • Re: How to remove a cached password?
    ... See if another domain user can logon to it or not, ... a domain controller is that it has incorrect dns settings. ... The login used on the laptop is the same ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why allow log on locally" is not configured by default??
    ... To logon locally you would have to be sitting in front of the console or use ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Custom rights
    ... By default any user can log onto a server other than domain controller. ... allow then to logon to a domain controller give them the logon locally user ... To add computers to the domain go to AD Users and Computers. ... > Look into AD delegation, though you may need to do some custom delegation. ...
    (microsoft.public.win2000.security)