[Logon Type]
Logon type 2 Interactive: A user logged on to this computer.
Logon type 3 Network: A user or computer logged on to this computer from the network.
Logon type 4 Batch: Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
Logon type 5 Service: A service was started by the Service Control Manager.
Logon type 7 Unlock: This workstation was unlocked.
Logon type 8 NetworkCleartext: A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
Logon type 9 NewCredentials: A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
Logon type 10 RemoteInteractive: A user logged on to this computer remotely using Terminal Services or Remote Desktop.
Logon type 11 CachedInteractive: A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Event ID 528 entries list the:
- user name
- domain
- logon id
- logon type
- logon process
- authenication package
- workstation name
The types of successful logon types:
- Type 2 : Console logon - interactive from the computer console
- Type 3 : Network logon - network mapping (net use/net view)
- Type 4 : Batch logon - scheduler
- Type 5 : Service logon - service uses an account
- Type 7 : Unlock Workstation
Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I don't know what that is. The Logon Type 3 events indicate a network logon event. A successful Net Use or File Manager connection or a successful Net View to a share generates Event ID 528. An event is generated by the initial connection from a particular user. Later Net Uses or Net Views by that a user from the same computer do not generate additional events unless the user has been disconnected. Auditing User Authentication gives additional information.
The unsuccessful logon events are:
- Event ID 529 : Unknown user name or bad password
- Event ID 530 : Logon time restriction violation
- Event ID 531 : Account disabled
- Event ID 532 : Account expired
- Event ID 533 : Workstation restriction - not allowed to logon at this computer
- Event ID 534 : Inadequate rights - as in user account attempting console login to server
- Event ID 535 : Password expired
- Event ID 536 : NetLogon service down
- Event ID 537 : unexpected error - the who knows ??? factor
- Event ID 539 : Logon Failure: Account locked out
- Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
- Event ID 644 : User account Locked out
Event ID 538 is not an unsuccessful event but rather a successful logoff. Event ID 540 is not an unsuccessful event but rather a successful network logon as in mapping a network drive. Some Windows 2000 only events are:
- Event ID 541 : IPSec security association established
- Event ID 542 : IPSec security association ended (mode data protection)
- Event ID 543 : IPSec security association ended (key exchange)
- Event ID 544 : IPSec security association establishment failed because peer could not authenicate
- Event ID 545 : IPSec peer authenication failed
- Event ID 546 : IPSec security association establishment failed because peer sent invalid proposal
- Event ID 547 : IPSec secuirty association negotiation failed
- Event ID 672 : Authenication Ticket Granted
- Event ID 673 : Service Ticket Granted
- Event ID 674 : Ticket Granted Renewed
- Event ID 675 : Pre-authenication failed
- Event ID 676 : Authenication Ticket Request Failed
- Event ID 677 : Service Ticket Request failed
- Event ID 678 : Account mapped for logon
- Event ID 679 : Account could not be mapped for logon
- Event ID 680 : Account used for logon
- Event ID 681 : Logon failed. There error code was:
- Event ID 682 : Session reconnected to winstation
- Event ID 683 : Session disconnected from winstation
