Logon type 2 indicates an interactive logon at the console. Type 3 indicates a network logon. Network i. Unlock i. NetworkCleartext i. NewCredentials e. RemoteInteractive e. CachedInteractive logon with cached domain credentials such as when logging on to a laptop when away from the network.
So now you know who logged on and how. Knowing where the user logged on would also be useful; you can use the identified workstation name and IP address to track down that information. Two other events appear under the Logon subcategory. Logon failures will appear as event ID In earlier Windows versions, several different events were used for failures. Event ID merges those events and indicates a failure code that will help to identify the reason for the failure.
Microsoft did a good thing by adding the Failure Reason section to Windows Server events. This section provides some of the translation for you, but you can still earn your salt by becoming familiar with all these codes which are shown below.
Finally, this subcategory includes event ID A logon was attempted using explicit credentials , which will appear in a variety of situations, such as when RunAs is invoked or when a scheduled task runs. Ostensibly, the Logoff subcategory should also provide the ability to track the logon session that relates to a logoff event ID For example if a dirty shutdown occurs, a logoff event will appear only during the subsequent startup, when the operating system realizes that the user is no longer connected.
To compensate for the problems with using event ID to accurately track logoffs, Windows also logs event ID A user initiated a logoff. This event indicates that the user rather than the system started the logoff process. Event ID usually occurs a couple of seconds later. Event ID is probably a better event to use for tracking the termination of interactive logon sessions. No events are associated with the Account Lockout subcategory.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.
Is this page helpful? Please rate your experience Yes No. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history. Go Up. Netwrix Blog. Handpicked related content:. Adam Bertram. Independent IT consultant, technical writer, trainer, and presenter. Adam specializes in consulting and evangelizing all things IT automation with a primary focus on PowerShell.
Access control Active Directory audit Audit policy Event log. Best Wireless iPhone Earbuds. Best Bluetooth Trackers. Best eReaders. Best VPN. Browse All News Articles. Windows 11 Uninstall Clock. Teams Walkie-Talkie. PCI Express 6. Wordle Scams. T-Mobile iCloud Private Relay.
Avira Antivirus Crypto Miner. Linux PinePhone Pro. Google Green Messages. Use Your iPhone as a Webcam. Hide Private Photos on iPhone. All Microsoft's PowerToys for Windows.
0コメント