Audit Logon Events vs. Audit Account Logon Events

's Computer Specifications

In a recent Windows 2K Svr checklist from Microsoft I noticed that Microsoft
recomends the admin to do a Sucess and Failure in "Audit Account Logon
Events" only.

see http://www.microsoft.com/technet/sec.../w2ksvrcl.mspx

Enable Security Event Auditing>Microsoft recommends enabling only Success
and Failure auditing for the Audit account logon events policy.

What's the difference between "Audit Account Logon Events" vs. "Audit Logon
Events"?

Thanks,

GX

's Computer Specifications

All messages from thread
Message 1 in thread
From: Steven L Umbach ((E-Mail Removed))
Subject: Re: Logon vs Acct logon auditing

View this article only
Newsgroups: microsoft.public.win2000.security
Date: 2004-03-18 12:10:51 PST

This a copy of a reply I made a short time back. I think it depends if the
server or the domain controller will be authenticating the users. ---
SteveThere is a subtle, but important to know, difference when it comes to
trying
to track down account lockouts or hack attempts. Account logon events are
used to record when a user logs onto a computer. The event is recorded on
the computer that authenticated the user - the actual computer [local sam]
if logging onto a local machine account or the domain controller that
validated a domain user logging into the domain. An account logon event will
not be recorded on the domain computer where a domain user logs onto the
domain but a logon event could be. Logon events are recorded where a user
uses their credentials such as accessing a domain file server in which case
a type 3 netwok logon would be recorded in the security log of the file
server showing the name and computer used by the domain user. See the links
below for more info including how to interpret the Event ID's. --- Steve
[bored at work]

http://www.microsoft.com/resources/d.../en-us/515.asp
http://tinyurl.com/2zg73 -- shorter in case of wrap.

http://www.microsoft.com/resources/d.../en-us/518.asp
http://tinyurl.com/34osj -- shorter link in case of wrap.

"HG" <(E-Mail Removed)> wrote in message
news:7JY7c.283014$(E-Mail Removed)...
> In a recent Windows 2K Svr checklist from Microsoft I noticed that Microsoft
> recomends the admin to do a Sucess and Failure in "Audit Account Logon
> Events" only.
>
> see http://www.microsoft.com/technet/sec.../w2ksvrcl.mspx
>
> Enable Security Event Auditing>Microsoft recommends enabling only Success
> and Failure auditing for the Audit account logon events policy.
>
> What's the difference between "Audit Account Logon Events" vs. "Audit Logon
> Events"?
>
> Thanks,
>
> GX
>
>

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
SecPol Audit Policy: Diff between "Audit account logon events" and "Audit logon events" ?	Sebastian Kaist	Windows XP Help	2	13th Mar 2009 04:37 PM
SecPol Audit Policy: Diff between "Audit account logon events" and "Audit logon events" ?	Sebastian Kaist	Windows XP General	0	13th Mar 2009 08:06 AM
Audit Account Logon Events, Client IP address incorrect?	=?Utf-8?B?TG9yaQ==?=	Microsoft Windows 2000 Active Directory	7	22nd Dec 2004 01:33 AM
Audit account logon events causes security log meltdown :(	Trust No One®	Microsoft Windows 2000 Active Directory	1	19th Nov 2004 12:33 AM
logon and account logon audit events	djc	Microsoft Windows 2000 Security	3	30th Sep 2004 09:16 PM