Look at the Event 540s for the user name and the domain information of the
user account that was logged on and the name of the logon process that
logged the user on.
ID: 538
Source: Security
Explanation
This event record indicates that a user has logged off.
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows
Operating System&ProdVer=5.0&EvtID=538&EvtSrc=Security&LCID=1033
ID: 540
Source: Security
Explanation
A logon session was created for the user. The message contains the Logon ID,
a number that is generated when a user logs on to a computer. The Logon ID
that is assigned to a logon session is unique to that logon session until
the computer is restarted, at which point the Logon ID may be reused. The
Logon ID can be used to correlate a logon message with other messages, such
as object access messages.
This message includes the user name and the domain information of the user
account that was logged on, the name of the logon process that logged the
user on, the type of authentication credentials that were presented, and a
logon GUID (globally unique identifier).
For logons that use Kerberos, the logon GUID can be used to associate a
logon event on this computer with an account logon event on an
authenticating computer, such as a domain controller.
This message also includes a logon type code. The logon type code indicates
the manner in which the user logged on. The following table explains the
logon type value:
Logon type Logon title Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run
on behalf of a user without the user's direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to a network. The user's password was
passed to the authentication package in its unhashed form. The built-in
authentication packages all hash credentials before sending them across the
network. The credentials do not traverse the network in plaintext (also
called cleartext).
9 NewCredentials A caller cloned its current token and specified new
credentials for outbound connections. The new logon session has the same
local identity, but it uses different credentials for other network
connections.
10 RemoteInteractive A user logged on to this computer remotely using
Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network
credentials that were stored locally on the computer. The domain controller
was not contacted to verify the credentials.
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=540&EvtSrc=Security&LCID=1033
ID: 576
Source: Security
Explanation
This event record indicates that a privilege that is not auditable on an
individual-use basis has been assigned to a user's security context at
logon. Certain privileges have security implications. Assigning such
privileges to a user who is not trusted can be a security risk. Some
privileges are used so frequently that auditing their every use would flood
the audit log with useless noise. For example, SeChangeNotifyPrivilege is
also used to bypass traverse access checking. This privilege is granted to
all users in a normal system configuration and is used multiple times for
each file opened. This audit event record is intended to warn an
administrator that such a privilege has been assigned.
User Action
The person with administrative rights for the computer should make sure the
user should have the special privileges assigned.
http://www.microsoft.com/technet/su...odVer=5.0&EvtID=576&EvtSrc=Security&LCID=1033
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
