Audit Other Account Logon Events

 

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.

Examples can include the following:

  • Remote Desktop session disconnections

  • New Remote Desktop sessions

  • Locking and unlocking a workstation

  • Invoking a screen saver

  • Dismissing a screen saver

  • Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice

    Note

    This condition could be caused by a network misconfiguration.

  • Access to a wireless network granted to a user or computer account

  • Access to a wired 802.1x network granted to a user or computer account

Event volume: Varies, depending on system use

Default: Not configured

If this policy setting is configured, the following events appear on computers running the supported versions of Windows as designated in the Applies To list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.

Event ID

Event message

4649

A replay attack was detected.

4778

A session was reconnected to a Window Station.

4779

A session was disconnected from a Window Station.

4800

The workstation was locked.

4801

The workstation was unlocked.

4802

The screen saver was invoked.

4803

The screen saver was dismissed.

5378

The requested credentials delegation was disallowed by policy.

5632

A request was made to authenticate to a wireless network.

5633

A request was made to authenticate to a wired network.

Advanced Security Audit Policy Settings