Logon and Logoff Events in Active Directory

The user’s logon and logoff events are logged under two categories in Active Directory based environment. These events are controlled by the following two group/security policy settings.
 
     i) Audit account logon events
     ii) Audit logon events

Note: See also these articles Enable logon and logoff events via GPO and Track logon and logoff activity

Audit account logon events

     This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the Domain Controller‘s security log. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM

The following table lists the Event IDs which are logged under the category Audit account logon events.

Account Logon Events In 2003 Type Description
4768 672 Success,
Failure
An authentication service (AS) ticket was successfully issued and validated.
4769 673 Success,
Failure
A ticket granting service (TGS) ticket was granted.
4770 674 Success A security principal renewed an AS ticket or TGS ticket.
4771 675 Failure Preauthentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
677 Failure A TGS ticket was not granted. This event is not generated in Windows XP or in the Windows Server 2003 family.
4774 678 Success An account was successfully mapped to a domain account.
4776 680 Success,
Failure
The domain controller attempted to validate the credentials for an account.

Audit logon events(Logon/Logoff)

This security setting determines whether to audit each instance of a user logging on to or logging off from a computer. The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. By using these events we can track user’s logon duration by mapping logon and logoff events with user’s Logon ID which is unique between user’s logon and logoff events.

For example, If the user ‘Admin‘ logon at the time 10 AM, we will get the following logon event: 4624 with Logon ID like 0x24f6

And if he logoff the system at the time 6 PM, we will get the logoff event either 4634 or 4647 ( Interactive and RemoteInteractive (remote desktop) logons) with the same Logon ID 0x24f6.

We can correlate these two events by Logon ID and find the Logon duration of the user Admin.

The following table lists the Event IDs which are logged under the category Audit logon events.
Logon/Logoff Events In 2003 Type Description
4624 528,540 Success A user successfully logged on to a computer.
4625 529,530,531,532 ,533,534,535,536,537,539 Failure An account failed to log on.
4778 682 Success A user has reconnected to a disconnected terminal server session.
4779 683 Success A user disconnected a terminal server session without logging off.
4634,4647 538 Logoff An account was logged off

Logon Types

The following table lists the Logon Types for the Events IDs 4624, 4634.

Logon Type Description
2 Interactive -(A user logged on to this computer.)
3 Network -(A user or computer logged on to this computer from the network.)
4 Batch -(Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.)
5 Service -(A service was started by the Service Control Manager.)
7 Unlock -(This workstation was unlocked.)
8 NetworkCleartext -(A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).)
9 NewCredentials -(A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.)
10 RemoteInteractive -(A user logged on to this computer remotely using Terminal Services or Remote Desktop.)
11 CachedInteractive -(A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.)

Failure Status codes

The following table lists the Failure Status codes and its equivalent error message for the Event ID 4625 whereas in 2003 based system we will get individual events for every type of logon failures.

Failure code Description
0xC0000064 Given user name not exist.
0xC000006A User name is correct but the password is wrong.
0xC0000234 User is currently locked out.
0xC0000072 Account is currently disabled.
0xC000006F User tried to logon outside his day of week or time of day restrictions.
0xC0000070 Workstation restriction
0xC0000193 Account expired
0xC0000071 Password expired
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 User is required to change password at next logon
0xc000015b The user has not been granted the requested logon type at this machine

Thanks,
Morgan
Software Developer

Advertisement

Leave a Comment