Geeks With Blogs
Michel Klomp Monitoring and Scripting

If you take the security settings in a GPO, and look closer to the audit policy. You will see 2 logon events. Audit account logon event and audit logon event.

What are the differences and why did Microsoft give them such a confusing name?

 

I was looking for some resources to answer this question, when google show me this page. http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx a blog from the windows auditing team.

 

So here is there explanation for the bad naming.  The answer is actually pretty simple- we're bad at choosing names.  "Account Logon" isn't really about logon, it's about credential validation.

 

And these are the differences.

Audit Logon/Logoff generates events for the creation and destruction of logon sessions.  These events occur on the machine which was accessed.  In the case of an interactive logon, these would be generated on the machine which was logged on to.  In the case of network logon, for example, accessing a share, these events would be generated on the machine hosting the resource that was accessed.

Audit Account Logon generates events for credential validation. These events occur on the machine which is authoritative for the credentials.  For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.  Since domain accounts are used much more frequently in enterprise environments than local accounts, most of the Account Logon events in a domain environment occur on the domain controllers which are authoritative for the domain accounts.  However, these events can occur on any machine, and may occur in conjunction with or on separate machines from logon/logoff events.

 

If you want to know more about auditing account logon events and logon events. This blog(http://blogs.msdn.com/ericfitz/default.aspx ) is a good place to start.

Posted on Tuesday, August 30, 2005 8:39 PM | Back to top


Comments on this post: Auditing: The difference between audit account logon event and audit logon event.

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Thank you. This came up recently on a Microsoft exam (70-290). It really bugged me, as I could not determine the difference. This clears it up.
Left by Craig on Jun 27, 2006 10:49 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
I'm currently cramming for the (70-292), and I also came up with this question!

Thank's for the post!!
Left by Tiago Santos on Jul 08, 2006 10:59 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
I'm preparing for 70-291 and this one confused me too.
Left by lszb on Nov 02, 2006 10:38 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Microsoft should be beter than just be bad at choosing names. How hard is it..?
Left by R. on Dec 06, 2006 7:07 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
thx.
ps: preparing for 70-290
Left by Alex on Dec 22, 2006 12:44 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
I've already passed 70-290, 291 & now working on 299 & I finally had these events explained in common non-Microsoft language. Wasn't quite sure what the difference was before. Thanks, it makes sense now.

-Chad
Left by bodhi on Jan 31, 2007 9:55 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Hi, dear friend! Thanks for the explanation.

I have one Doubt... when I log interactively in a machine, with Windows XP, it will be created two audit logs? One for the Logon Events in the machine, and other for Account logon events in the Domain controller. Is that right?

The doubt is... if I log in the domain, my credentials must be validated, this process will create an audit account logon event in the DC. And if the validate was successful or not, it will be create an audit logon event in the machine too. Is that right?

Sorry for the bad english... I'm brazilian.

Thanks for your help.
Left by Tiago on Jun 04, 2007 7:30 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Hehe, i'm preparing for 70-290 too, that's why i'm here :) Funny, seems like noone else cares then us, who gotta pass the exam.
Left by probe on Jun 28, 2007 4:15 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Can somebody write a code for VISUAL BASIC_?
tks
Left by Nudelman Zinowij on Oct 31, 2007 4:04 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
all you silly person
"account logon events" are generated where the account lives; "logon events" are generated where the logon attempt occurs.



Abhay saini (mcse,server 2008 exchange 2007, mssql)
Left by Abhay saini on Nov 21, 2008 1:30 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
thank you . i prepare 70-290. in mocrosoft book 70-290 this question explain very bad and complicated. but your answer is clear :)
Left by aceqbaceq on Feb 19, 2009 4:49 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Thanks alot for giving proper understanding .........
Left by Ragesh on May 12, 2009 9:49 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Thanks a lot ..

this article is really good as i was stuck in understanding the concept fr few days... :)
Left by Dhruv Sharma on Aug 10, 2009 2:28 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Nice work dude. I was giving a training on various techniques of manually auditing Windows systems and I came across this issue. I got very confused in the beginning but then I gave the same explanation of this difference using common sense and intution that you've digged out. I wasn't 100% sure though but now I am. Thanks again.
Left by Muhammad Tariq on Dec 15, 2009 3:22 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
If you are prepping for 291 use the MS Selft test software and the MS Press Readiness Review, the tow give conflicting answers.
Left by Steve on Dec 27, 2009 2:19 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Sorry. Meant 290.
Left by Steve on Dec 27, 2009 2:19 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Your blog gave the impression of explaining this confusing terminology, while in the end, using their own confusing terms to explain it, so I think you failed. I still do not understand. Too geeky. Please explain with simpler terms. You succeeded in getting across that Microsoft was bad with terms, well, I knew that from being confused to begin with.
Thanks.
Left by Chad on Dec 31, 2009 11:38 AM

# Great post
Requesting Gravatar...
Cool article you got here. I'd like to read a bit more concerning that topic. Thanks for giving this material.
Left by StephanJade on Feb 08, 2010 1:29 PM

# Thanx
Requesting Gravatar...
Rather nice site you've got here. Thanks the author for it. I like such topics and anything that is connected to them. I definitely want to read more on that blog soon.

Truly yours
Left by Darek Wax on Feb 15, 2010 11:42 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Where logons generate:

A, Audit Logons =Session logons:
-Local Interactive:local machine
- Network session: file server hosting share etc.

vs

B, Audit Account Logons:
where credentials are validated
-Local accounts: local machine
-Domain accounts: on DC
Left by HV on Mar 13, 2010 6:14 PM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
Chad, if you thought this was still too "geeky" and not simple enough, then you should not be administering servers and security! It is very complicated and technical, and cannot be simplified that much without losing the level of meaning necessary to get the job done. Pay someone who actually understands this stuff to take care of your servers.
Left by Anonymous on Dec 15, 2010 10:31 AM

# re: Auditing: The difference between audit account logon event and audit logon event.
Requesting Gravatar...
ADAudit Plus is a valuable security tool that will help you be compliant with all the IT regulatory acts. With this tool, you can monitor user activity such as logon, file access, etc. A configurable alert system warns you of potential threats.
Left by johnrockfellerz on Jun 19, 2011 11:20 PM

Your comment:
 (will show your gravatar)
 


Copyright © Michel Klomp | Powered by: GeeksWithBlogs.net | Join free