Tuesday, 8 October 2013

Logon and Logoff Events in Active Directory

The user's logon and logoff events are logged under two categories in Active Directory based environment. These events are controlled by the following two group/security policy settings.
     i) Audit account logon events
     ii) Audit logon events

Note: See also these articles Enable logon and logoff events via GPO and Track logon and logoff activity

Audit account logon events

     This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the Domain Controller's security log. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM

The following table lists the Event IDs which are logged under the category Audit account logon events.

Account Logon EventsIn 2003TypeDescription
4768672Success, Failure An authentication service (AS) ticket was successfully issued and validated.
4769673Success, Failure A ticket granting service (TGS) ticket was granted.
4770674SuccessA security principal renewed an AS ticket or TGS ticket.
4771675Failure Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
-677Failure A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.
4774678SuccessAn account was successfully mapped to a domain account.
4776680Success, Failure The domain controller attempted to validate the credentials for an account.

Audit logon events(Logon/Logoff)

This security setting determines whether to audit each instance of a user logging on to or logging off from a computer. The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. By using these events we can track user's logon duration by mapping logon and logoff events with user's Logon ID which is unique between user's logon and logoff events.

For example, If the user 'Admin' logon at the time 10 AM, we will get the following logon event: 4624 with Logon ID like 0x24f6

And if he logoff the system at the time 6 PM, we will get the logoff event either 4634 or 4647 ( Interactive and RemoteInteractive (remote desktop) logons) with the same Logon ID 0x24f6.

We can correlate these two events by Logon ID and find the Logon duration of the user Admin.

The following table lists the Event IDs which are logged under the category Audit logon events.

Logon/Logoff EventsIn 2003TypeDescription
4624528,540SuccessA user successfully logged on to a computer.
4625529,530,531,532 ,533,534,535,536,537,539 FailureAn account failed to log on.
4778682SuccessA user has reconnected to a disconnected terminal server session.
4779683SuccessA user disconnected a terminal server session without logging off.
4634,4647538LogoffAn account was logged off

Logon Types

The following table lists the Logon Types for the Events IDs 4624, 4634.

Logon TypeDescription
2Interactive -(A user logged on to this computer.)
3Network -(A user or computer logged on to this computer from the network.)
4Batch -(Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.)
5Service -(A service was started by the Service Control Manager.)
7Unlock -(This workstation was unlocked.)
8NetworkCleartext -(A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).)
9NewCredentials -(A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.)
10RemoteInteractive -(A user logged on to this computer remotely using Terminal Services or Remote Desktop.)
11CachedInteractive -(A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.)

Failure Status codes

The following table lists the Failure Status codes and its equivalent error message for the Event ID 4625 whereas in 2003 based system we will get individual events for every type of logon failures.

Failure codeDescription
0xC0000064Given user name not exist.
0xC000006AUser name is correct but the password is wrong.
0xC0000234User is currently locked out.
0xC0000072Account is currently disabled.
0xC000006FUser tried to logon outside his day of week or time of day restrictions.
0xC0000070Workstation restriction
0xC0000193Account expired
0xC0000071Password expired
0xC0000133clocks between DC and other computer too far out of sync
0xC0000224User is required to change password at next logon
0xc000015bThe user has not been granted the requested logon type at this machine

Software Developer


No comments:

Post a Comment