Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity.
Configuring this security setting
Logon Events | Description |
528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
531 | Logon failure. A logon attempt was made using a disabled account. |
532 | Logon failure. A logon attempt was made using an expired account. |
533 | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. |
534 | Logon failure. The user attempted to log on with a type that is not allowed. |
535 | Logon failure. The password for the specified account has expired. |
536 | Logon failure. The Net Logon service is not active. |
537 | Logon failure. The logon attempt failed for other reasons. Note
|
538 | The logoff process was completed for a user. |
539 | Logon failure. The account was locked out at the time the logon attempt was made. |
540 | A user successfully logged on to a network. |
541 | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
542 | A data channel was terminated. |
543 | Main mode was terminated.(This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.) |
544 | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. |
545 | Main mode authentication failed because of a Kerberos failure or a password that is not valid. |
546 | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. |
547 | A failure occurred during an IKE handshake. |
548 | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. |
549 | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. |
550 | Notification message that could indicate a possible denial-of-service attack. |
551 | A user initiated the logoff process. |
552 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
682 | A user has reconnected to a disconnected terminal server session. |
683 | A user disconnected a terminal server session without logging off.(This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.) |
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
Logon type | Logon title | Description |
2 | Interactive | A user logged on to this computer. |
3 | Network | A user or computer logged on to this computer from the network. |
4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 | Service | A service was started by the Service Control Manager. |
7 | Unlock | This workstation was unlocked. |
8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Note:- Information is taken from Microsoft website.
No comments:
Post a Comment