Re: auditing logons - someone please clear this #@#$! up.



Probably the best short explanation I have heard is that "account logon"
events are recorded on the computer that authenticates the account while
"logon" events are created where the account is used. For in example in a
domain for a domain user "account logon" events will only be recorded on the
domain controller that authenticates the user while "logon" events will be
recorded on domain computers that the user uses. When a user logs onto a
domain computer interactively a type 2 "logon" event will be recorded in the
security log of the domain computer [assuming auditing of "logon" events is
enabled] and when a domain user access a share on a domain computer a type 3
"logon" events will record in the security log of the computer that has the
share even though the computer that has the share did not authenticate the
user - a domain controller did. When you see type 3 "logon" events in the
security log of a domain controller that is usually showing not that the
user logged onto the domain controller interactively but most likely is
because the user/computer accessed the sysvol share for Group Policy. The
free Windows 2003 Server Security Guide has an explanation of many common
Event ID's that you will see in the security and other logs. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
--- Kerberos error troubleshooting

"djc" <noone@xxxxxxxxxxx> wrote in message
news:eqlnPkeFGHA.3000@xxxxxxxxxxxxxxxxxxxxxxx
> apparently I still don't have it all straight. I blame the resources I've
> used so far... they have all been incomplete at best, and often just
> wrong.
> Anyway here is a site that, so far, IS good. I have not read all the
> articles yet but the quick reference guide is very helpful, along with the
> kerberos error code listings and explanation of the event IDs. I have
> found
> very good and helpful info:
>
> http://www.ultimatewindowssecurity.com/
>
>
>
> "djc" <noone@xxxxxxxxxxx> wrote in message
> news:%232Oyd9sEGHA.516@xxxxxxxxxxxxxxxxxxxxxxx
>> Well, in theory I understand the difference between logon/logoff and
> account
>> logon/logoff. I have read about it in books and have studied the subject
>> from practice test questions for MS certifications. I can honestly tell
> you
>> I can get every question right and still be completely confused when I
> look
>> at a security log!
>>
>> account logons: these are 'domain accounts' and get logged on whatever DC
>> did the authentication. These occur when logging on interactively to a
>> any
>> computer in the domain.
>>
>> logons: these are local account logons and get logged on the the machine
>> where the logon took place, could be DC or any other server or
> workstation.
>> They occur when logging on interactively OR when connecting remotely via
>> resource share.
>>
>> I am aware that during an interactive logon an account logon gets logged
> on
>> the DC, a logon gets logged on the DC (because scripts etc.. are
>> accessed)
>> and a logon gets logged on whatever machine the interactive logon took
>> place.
>>
>> just getting that out because when ANY question related to this gets
>> asked
>> thats usually the answer you get whether thats what your asking or not.
>>
>> based on what I read and stated above its very simple. The security logs
>> tell another story though.
>>
>> 1) I DO see account logon events logged on non-DC computers?
>>
>> 2) when taking the simple rules as layed out in books and test questions
> you
>> would think it would be easy to get an answer to the fundemental question
>> that is the purpose of this whole thing to begin with: A LOGON
>> SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE? Now I can handle the fact
> that
>> one interactive logon triggers 3 event log entries because that makes
> sense.
>> But I see WAY more than 3 entries triggered by what I can only assume was
> 1
>> real event. But I don't know.
>>
>> what does Pre-authentication failed: ID 675 mean?
>> what does Authentication Ticket Request Failed: ID 676 mean?
>> what does Service Ticket Request Failed: ID 677 mean?
>>
>> and there are several more! yes, I know, kerberos. I understand the
> kerberos
>> process. But I don't know how to look at a security log and answer the
>> simple question of A LOGON SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE?
>>
>> anyone care to take a stab at explaining this? I am really frustrated at
> the
>> fact that I can get every test question related to this right but still
>> am
>> not able to do anything usefull with it. I know I am making myself look
> bad
>> but thats where I'm at. Yep, I'm an MCSA 2000: Security! funny huh.
>>
>>
>
>


.