Domain User Logon Event Id

A better way monitoring user logons with lepide active directory auditor.

Domain user logon event id. When an admin logs on interactively to a system with uac enabled windows actually creates 2 logon sessions one with and. In other words it points out how the user logged on there are a total of nine different types of logons the most common logon types are. To configure auditing on domain controllers you need to edit and update ddcp default domain controller policy when a new user account is created on active directory with the option user must change password at next logon following event ids will be generated. The following image shows the user logon event in a domain through the easy to use interface of lepide active directory auditor part of lepide data security platform.

Logon type 2 interactive and logon type 3 network. Audit logon events records logons on the pc s targeted by the policy and the results appear in the security log on that pc s. 2000 2003 success net logon 540 auth ticket granted 672 service ticket granted 673 ticket granted renew 674 2008 2012 including security event ids from active directory used with user id agent knowledge base palo alto networks. Their workstation automatically re uses the domain credentials they entered at logon to connect to other servers.

You can see an example of an event viewer user logon event id and logoff with the same logon id below. Login event id in event view in this example the lab administrator account had logged in id 4624 on 8 27 2015 at 5 28pm with a logon id of 0x146ff6. While a user is logged on they typically access one or more servers on the network. Win2016 10 this is relevant to user account control and interactive logons.

This field reveals the kind of logon that occurred. Any events logged subsequently during this logon session will report the same logon id through to the logoff event 4647 or 4634. And if he logoff the system at the time 6 pm we will get the logoff event either 4634 or 4647 interactive and remoteinteractive remote desktop logons with the same logon id 0x24f6. If the system is shut down all logon session get terminated and since the user didn t initiate the logoff event id 4634 is not logged.

For example if the user admin logon at the time 10 am we will get the following logon event. It shows you the answers to the who what when and where questions crucial for active directory auditing in one place and in a way that is. Create a logon script on the required domain ou user account with the following content. Audit account logon events tracks logons to the domain and the results appear in the security log on domain controllers only 2.

For more info about account logon events see audit account logon events. The important information that can be derived from event 4624 includes.