i) Audit account logon events
ii) Audit logon events
Note: See also these articles Enable logon and logoff events via GPO and Track logon and logoff activity
Audit account logon events
This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the Domain Controller‘s security log. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM
The following table lists the Event IDs which are logged under the category Audit account logon events.
| Account Logon Events | In 2003 | Type | Description |
| 4768 | 672 | Success, Failure |
An authentication service (AS) ticket was successfully issued and validated. |
| 4769 | 673 | Success, Failure |
A ticket granting service (TGS) ticket was granted. |
| 4770 | 674 | Success | A security principal renewed an AS ticket or TGS ticket. |
| 4771 | 675 | Failure | Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password. |
| – | 677 | Failure | A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
| 4774 | 678 | Success | An account was successfully mapped to a domain account. |
| 4776 | 680 | Success, Failure |
The domain controller attempted to validate the credentials for an account. |
Audit logon events(Logon/Logoff)
This security setting determines whether to audit each instance of a user logging on to or logging off from a computer. The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. By using these events we can track user’s logon duration by mapping logon and logoff events with user’s Logon ID which is unique between user’s logon and logoff events.
For example, If the user ‘Admin‘ logon at the time 10 AM, we will get the following logon event: 4624 with Logon ID like 0x24f6
And if he logoff the system at the time 6 PM, we will get the logoff event either 4634 or 4647 ( Interactive and RemoteInteractive (remote desktop) logons) with the same Logon ID 0x24f6.
We can correlate these two events by Logon ID and find the Logon duration of the user Admin.
| Logon/Logoff Events | In 2003 | Type | Description |
| 4624 | 528,540 | Success | A user successfully logged on to a computer. |
| 4625 | 529,530,531,532 ,533,534,535,536,537,539 | Failure | An account failed to log on. |
| 4778 | 682 | Success | A user has reconnected to a disconnected terminal server session. |
| 4779 | 683 | Success | A user disconnected a terminal server session without logging off. |
| 4634,4647 | 538 | Logoff | An account was logged off |
Logon Types
The following table lists the Logon Types for the Events IDs 4624, 4634.
| Logon Type | Description |
| 2 | Interactive -(A user logged on to this computer.) |
| 3 | Network -(A user or computer logged on to this computer from the network.) |
| 4 | Batch -(Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.) |
| 5 | Service -(A service was started by the Service Control Manager.) |
| 7 | Unlock -(This workstation was unlocked.) |
| 8 | NetworkCleartext -(A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).) |
| 9 | NewCredentials -(A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.) |
| 10 | RemoteInteractive -(A user logged on to this computer remotely using Terminal Services or Remote Desktop.) |
| 11 | CachedInteractive -(A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.) |
Failure Status codes
The following table lists the Failure Status codes and its equivalent error message for the Event ID 4625 whereas in 2003 based system we will get individual events for every type of logon failures.
| Failure code | Description |
| 0xC0000064 | Given user name not exist. |
| 0xC000006A | User name is correct but the password is wrong. |
| 0xC0000234 | User is currently locked out. |
| 0xC0000072 | Account is currently disabled. |
| 0xC000006F | User tried to logon outside his day of week or time of day restrictions. |
| 0xC0000070 | Workstation restriction |
| 0xC0000193 | Account expired |
| 0xC0000071 | Password expired |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | User is required to change password at next logon |
| 0xc000015b | The user has not been granted the requested logon type at this machine |
Thanks,
Morgan
Software Developer