Windows events user logon

Handpicked related content:. Adam Bertram. Independent IT consultant, technical writer, trainer, and presenter. Adam specializes in consulting and evangelizing all things IT automation with a primary focus on PowerShell.

Access control Active Directory audit Audit policy Event log. Event log. Jeff Melnick March 23, Death by Event Log Overload. Nick Cavalancia November 7, Daniel Pershing May 10, Event Log Management free-of-charge? Daniel Pershing February 27, Logon failures will appear as event ID In earlier Windows versions, several different events were used for failures. Event ID merges those events and indicates a failure code that will help to identify the reason for the failure.

Microsoft did a good thing by adding the Failure Reason section to Windows Server events. This section provides some of the translation for you, but you can still earn your salt by becoming familiar with all these codes which are shown below.

Finally, this subcategory includes event ID A logon was attempted using explicit credentials , which will appear in a variety of situations, such as when RunAs is invoked or when a scheduled task runs. Ostensibly, the Logoff subcategory should also provide the ability to track the logon session that relates to a logoff event ID For example if a dirty shutdown occurs, a logoff event will appear only during the subsequent startup, when the operating system realizes that the user is no longer connected.

To compensate for the problems with using event ID to accurately track logoffs, Windows also logs event ID A user initiated a logoff. This event indicates that the user rather than the system started the logoff process. Event ID usually occurs a couple of seconds later. Event ID is probably a better event to use for tracking the termination of interactive logon sessions. No events are associated with the Account Lockout subcategory.

These three subcategories will generate many events, so you might want to consider turning on this auditing only for troubleshooting IPsec or firewall issues. IPsec uses packet filtering and encryption to enhance security and provides authentication, integrity checking, and optional encryption at the packet level.

IPsec can provide a defense against a network attack by untrusted computers. A security association SA is first established with IPsec Main Mode also known as Phase 1 ; if this subcategory is enabled, the events will appear in the audit log. The negotiation of Quick Mode is protected by the Main Mode encryption and filtering rules. In Quick Mode, two SAs are used: one for incoming packets and one for outgoing packets.

With Extended Mode, another round of authentications can be performed. The events tell you whether negotiation and authentication is successful and SAs are established, or whether negotiation fails.

The Special Logon subcategory contains only one event: event ID , which indicates that a highly privileged user has logged on. This event lets you know whenever an account that is assigned any "administrator-equivalent" user rights logs on. For instance, you will see event ID in close proximity to logon events event ID for administrators because administrators have most of these administrator-equivalent rights. This right is a useful for detecting any "super user" account logons.

The right also is logged for any server or application accounts that log on as a batch job scheduled task or system service. See the Logon Type field in event ID Note: "User rights" and "privileges" are synonymous terms that are used interchangeably in Windows. Administrator-equivalent rights are powerful authorities that allow you to circumvent other Windows security controls.

Most administrator-equivalent privileges are intended for services and applications that interact closely with the operating system. With just a few exceptions, most administrator-equivalent privileges neither need nor should be granted to end user accounts. If your organization has a lockout policy—and it should—these events can enable an auditor to see whether interactive and remote Terminal Server sessions are actually being locked out when unattended.

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.

Privacy policy. Winlogon can inform your notification package of the following events. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.

Please rate your experience Yes No.