All successful logons are Event ID 528 entries in
the security log, assuming auditing is turned on and you are auditing successful
logons. Unsuccessful logons have various event ids which categorize the type of
logon failure.
Event ID 528 entries list the:
-
user name
-
domain
-
logon id
-
logon type
-
logon process
-
authenication package
-
workstation name
The types of successful logon types:
-
Type 2 : Console logon -
interactive from the computer console
-
Type 3 : Network logon -
network mapping (net use/net view)
-
Type 4 : Batch logon -
scheduler
-
Type 5 : Service logon -
service uses an account
-
Type 7 : Unlock Workstation
Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I don't
know what that is. The Logon Type 3 events indicate a network logon event. A
successful Net Use or File Manager connection or a successful Net View to a
share generates Event ID 528. An event is generated by the initial connection
from a particular user. Later Net Uses or Net Views by that a user from the same
computer do not generate additional events unless the user has been
disconnected.
Auditing User Authentication gives additional information.
The unsuccessful logon events are:
-
Event ID 529 :
Unknown user
name or bad password
-
Event ID 530 :
Logon time
restriction violation
-
Event ID 531 : Account
disabled
-
Event ID 532 :
Account
expired
-
Event ID 533 :
Workstation
restriction - not allowed to logon at this computer
-
Event ID 534 :
Inadequate
rights - as in user account attempting console login to server
-
Event ID 535 :
Password
expired
-
Event ID 536 :
NetLogon
service down
-
Event ID 537 :
unexpected
error - the who knows ??? factor
-
Event ID 539 :
Logon
Failure: Account locked out
-
Event ID 627 :
NT
AUTHORITY\ANONYMOUS is trying to change a password
-
Event ID 644 :
User account
Locked out
Event ID 538 is not an unsuccessful event but
rather a successful logoff. Event ID 540 is not an
unsuccessful event but rather a successful network logon as in mapping a network
drive. Some Windows 2000 only events are:
-
Event ID 541 :
IPSec
security association established
-
Event ID 542 : IPSec
security association ended (mode data protection)
-
Event ID 543 : IPSec
security association ended (key exchange)
-
Event ID 544 :
IPSec
security association establishment failed because peer could not authenicate
-
Event ID 545 :
IPSec peer
authenication failed
-
Event ID 546 :
IPSec
security association establishment failed because peer sent invalid proposal
-
Event ID 547 :
IPSec
secuirty association negotiation failed
-
Event ID 672 :
Authenication Ticket Granted
-
Event ID 673 :
Service
Ticket Granted
-
Event ID 674 :
Ticket
Granted Renewed
-
Event ID 675 :
Pre-authenication
failed
-
Event ID 676 :
Authenication Ticket Request Failed
-
Event ID 677 :
Service
Ticket Request failed
-
Event ID 678 :
Account
mapped for logon
-
Event ID 679 :
Account
could not be mapped for logon
-
Event ID 680 :
Account used
for logon
-
Event ID 681 :
Logon
failed. There error code was:
-
Event ID 682 :
Session
reconnected to winstation
-
Event ID 683 :
Session
disconnected from winstation
You may get calls about the strange 627s, is someone breaking in? What is
NT AUTHORITY \ ANONYMOUS? This event is logged when a
the password is expired and the user tries to change it during logon. Thus you
get no User Name but NT AUTHORITY \ ANONYMOUS written
in the log. This error generates calls from Security Admins when they don't
understand the meaning of the error. On the surface, it sounds ominous.
Event ID 642 records the PDCs change of
secure channel passwords
Some common event sequences:
Event ID 560 (Object Open), 561 (Handle Allocated), 562
(Handle Closed) : NT is doing internal checks, such
as checking to see if the file exists and checking to see that there is no
sharing violation
Event ID 592 (A New Process Has Been Created), 560
(Object Open), 561 (Handle Allocated), 562 (Handle Closed), 593 (Process Has
Exited) : An executable starts, an audited object is
opened and closed, executable exits.
Microsoft has recently published
Windows 2000 Security Event Descriptions part 1 and
Windows 2000 Security Event Descriptions part 2. A nice coverage for W2K.
Related Tips:
Event Log Tips:
Archiving Event Logs
Event Log explained
How to Delete Corrupt
Event Viewer Log Files
Forensics:
CrashOnAuditFail
Restrict access to
Application and System event logs
Security Event
Descriptions
Security Events Logon
Type Definitions
Security Log Location
Suppress Browser Event Log
Messages
Suppress Prevent logging
of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List
Q:
I get a lot of event log IDs 528, 538 (users logging on and
off). First comes a 528 (logon) followed later by 538 (logoff). I know the
user is not logging off...
Check the logon type in the events.
- If it is 2 (Interactive logon), it is the old bug described in
Microsoft's KB article Q146880.
- If it is 3 (Network logon), so it is a network logon/logoff. Such an
event occurrs, if a user connects to a share, for instance. There is also
a setting on the server called "Autodisconnect if a session is idle more
than x min", with a default of 15 min. So even if a user is connected to a
share for hours, you can get a lot of such events because the server will
disconnect after the idle time and reconnect if the share is accessed the
next time. This is transparent to the user.
- If the logon type is 4 (Batch logon) is only logged on NT 4 if you
have the new scheduler installed, which comes with IE 5. This new
scheduler logs logons and logoffs of it's tasks, because each task may run
under a different account. The native NT 4 scheduler did run all tasks
under the account itself was running, therefore no one needed to logon
when a batch job started.
I was wondering if you could tell me how to set the autodisconnect to a
longer time for logon type 3?
The easiest way is to use the command
NET CONFIG SERVER /AUTODISCONNECT:Minutes
But I have another user (admin) who does not have any share open on a
workstation but is generating lots of pairs of events 528/538 nevertheless
Somebody reported this behaviour when perfmon.exe is run across the network.
In some cases this program is reported to open and close a connection every
time it collects data, which can be very often. I could not reproduce this
behaviour, though. |