Solved

"Audit account logon events" VRS "Audit logon events"

Posted on 2004-03-20
2
1,850 Views
Last Modified: 2012-06-27

"Audit account logon events" and "Audit logon events", I need someone to clarify the differences between these two audit types, I am very confused!  I have traditionally only used "Audit logon events" to track success/failure logon attempts from a client to the domain.  The more I read the descriptions for these events the more confused I get.  

Can you give me examples of use, mainly for "Audit account logon events"?

 
Here are the descroptions from 2003 help.
-------------------------------------------------------------------------

Audit account logon eventsDescription:

This security setting determines whether to audit each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when an account logon attempt succeeds. Failure audits generate an audit entry when an account logon attempt fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

If success auditing for account logon events is enabled on a domain controller, an entry is logged for each user who is validated against that domain controller, even though the user is actually logging on to a workstation that is joined to the domain.

Default: Success.

-------------------------------------------------------------------------

Audit logon eventsDescription:

This security setting determines whether to audit each instance of a user logging on to or logging off from a computer.

Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more information about account logon events, see Audit account logon events.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: Success.


Thanks

Super Play



0
Comment
Question by:superplay
2 Comments
 
LVL 10

Accepted Solution

by:
BloodRed earned 60 total points
ID: 10645189
As I understand it, Account Logon events are generated on the system that does the actual authentication, the DC, and Logon events are generated on the machine that account is logging in to(not necessarily the machine that actually authenticated the account).  

MS Press's Windows Server 2003 Administrator's Companion simply states:

Account Logon - Generated when a DC recieves a logon request.
Logon - Generated when a user logs on or off.


-BR
0
 
LVL 3

Assisted Solution

by:pashanahan
pashanahan earned 65 total points
ID: 10647856
Hi there,

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/518.asp

If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on.

Account Logon Event > When the user 1st logs onto any domain client > Generated on the DC when a user logs onto a domain computer and is authenticated by the DC
Logon Event > Generated whenever the user accesses a resource on a member server / different client from the local one where he/s is logged in  

So to audit successful logins to the domain you would use "Account Logon Event" to track remote share/resource usage then you would use "Logon Event"

Aid



0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now