Event ID# on Domain Controllers for workstation interactive logon

8 views
Skip to first unread message

-

unread,
Apr 20, 2009, 2:50:09 PM4/20/09
to
I read somewhere that DC's running 2003 would log a new event that
specifically indicated a workstation/member-server interactive login. Thus
this would provide a semi-consolidated record of domain users' interactive
logons from non-DC's. I've Googled repeatedly but I'm not finding the
information. Can someone tell me what this event number is?


Meinolf Weber [MVP-DS]

unread,
Apr 20, 2009, 2:55:38 PM4/20/09
to
Hello -,

Check this article about the logon type codes:
http://www.windowsecurity.com/articles/Logon-Types.html

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

-

unread,
Apr 20, 2009, 6:56:18 PM4/20/09
to
Thanks Meinholf,

I think what I'm trying to get at specifically is if the DC's are going to
start holding the events for interactive logons in addition to the
workstations.


"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66206848...@msnews.microsoft.com...

Ace Fekay [Microsoft Certified Trainer]

unread,
Apr 20, 2009, 8:52:04 PM4/20/09
to
<-> wrote in message news:eDmK5sgw...@TK2MSFTNGP05.phx.gbl...

> Thanks Meinholf,
>
> I think what I'm trying to get at specifically is if the DC's are going to
> start holding the events for interactive logons in addition to the
> workstations.

This is something you would need to enable manually using either a GPO or
the Local Domain Controller Policy. I would suggest to use a separate GPO
under the Domain Controller OU. Keep in mind, this is a lot of additional
data the DCs will be enumerating and can turn into a performance issue.

Ace Fekay [Microsoft Certified Trainer]

unread,
Apr 20, 2009, 8:53:14 PM4/20/09
to
<-> wrote in message news:eDmK5sgw...@TK2MSFTNGP05.phx.gbl...
> Thanks Meinholf,
>
> I think what I'm trying to get at specifically is if the DC's are going to
> start holding the events for interactive logons in addition to the
> workstations.
>

Sorry, hit send too soon. I meant to post the following links:

Audit logon events: Security Configuration Editor; Security ServicesJan 21,
2005
If both account logon and logon audit policy categories are enabled, logons
that use a domain account generate a logon or logoff event on ...
http://technet.microsoft.com/en-us/library/cc787567.aspx

Audit logon events
If you are auditing successful Audit account logon events on a domain
controller, then workstation logons do not generate logon audits. ...
http://technet.microsoft.com/en-us/library/cc976395.aspx

How to Enable Success Logon Event Logging Dec 1, 2008
To enable success logon event logging using a local security policy ... In
the results pane, double-click Audit logon events and ensure that ...
http://technet.microsoft.com/en-us/library/cc431373.aspx

Auditing Security Events Best practices: Auditing Jan 21, 2005
For information about how to enable auditing in the logon event category,
see Define or modify auditing policy settings for an event ...
http://technet.microsoft.com/en-us/library/cc778162.aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
ace...@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.


Reply all
Reply to author
Forward
0 new messages