Export (0) Print
Expand All
3 out of 7 rated this helpful - Rate this topic

Audit Other Logon/Logoff Events

Updated: June 15, 2009

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether Windows generates audit events for other logon or logoff events, such as:

  • A Remote Desktop session disconnects or connects.

  • A workstation is locked or unlocked.

  • A screen saver is invoked or dismissed.

  • A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.

  • A user is granted access to a wireless network. It can either be a user account or the computer account.

  • A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.

Logon events are essential to understanding user activity and detecting potential attacks.

Event volume: Low on a client computer or a server

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

 

Event ID Event message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.