Auditing account logon events vs. logon events

w^rl0rdw^rl0rd Member Posts: 329
OK, I thought I understood this until I took a practice exam and got it wrong.

If I understand correctly, logon events occur when you log onto your workstation. Account logon events occur on DCs when you log onto the network.

Am I missing something here?

If I am auditing account logon events in the Default Domain Controller GPO and read the security log on my DC, it should show events generated when workstations authenticate into the domain right?

I'm taking an MS Press practice test "powered by MeasureUp" and it specifically says in the answer "Account logon events occur on the local system where the user is logging on, not on the domain controller."

I've heard of MS printing the wrong info in their own books before but not practice exams.

Comments

  • CessationCessation Member Posts: 326
    w^rl0rd wrote:
    OK, I thought I understood this until I took a practice exam and got it wrong.

    If I understand correctly, logon events occur when you log onto your workstation. Account logon events occur on DCs when you log onto the network.

    Am I missing something here?

    Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
    (http://technet2.microsoft.com/WindowsServer/en/library/d8fc798c-1e77-4043-b59c-971b4961d85a1033.mspx?mfr=true)

    Looks to me like you have it right.

    You know its funny because I was confused by the same test I think. Ha. GJ Microsoft
    A+, MCP(270,290), CCNA 2008.
    Working back on my CCNA and then possibly CCNP.
  • CessationCessation Member Posts: 326
    My exam is less than 24 hours away.. Im scared =P :P
    A+, MCP(270,290), CCNA 2008.
    Working back on my CCNA and then possibly CCNP.
  • SmallguySmallguy Member Posts: 597
    you have it right....ms can make mistakes on there test software

    I know that the 291 software has the ability to perform updates... have u looked there


    also there could be an erratta on the MS site.
  • SmallguySmallguy Member Posts: 597
    Cessation wrote:
    My exam is less than 24 hours away.. Im scared =P :P

    you can be concerned or worried but don't be scared I'm sure you worked hard.

    The certs can be tricky but really I found 290 easier thna 270

    good luck you'll be fine
  • CessationCessation Member Posts: 326
    Smallguy wrote:
    Cessation wrote:
    My exam is less than 24 hours away.. Im scared =P :P

    you can be concerned or worried but don't be scared I'm sure you worked hard.

    The certs can be tricky but really I found 290 easier thna 270

    good luck you'll be fine

    Really? that would be sweet if the 290 was easier. Ha.
    Not really scared though. Just get a bit jittery when test time comes around thats all.
    A+, MCP(270,290), CCNA 2008.
    Working back on my CCNA and then possibly CCNP.
  • famosbrownfamosbrown Member Posts: 637
    Good luck!! I will probably be taking it next week. Let us know how you do.

    Famos
    B.S.B.A. (Management Information Systems)
    M.B.A. (Technology Management)
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    The above explanation about regular logon events isn't actually correct. When a local account logs on locally it's actually an account logon. When a domain user authenticates to a DC, it's an account logon.

    A regular logon event occurs when a domain user accesses resources on a member server, it's a logon event on that member server. Everytime you access resources on a member server, you need a kerberos service ticket. When that member server checks your access and grants you access, it'll register a logon event on that member server.

    Logon events can work differently using other authentication protocols such as NTLM or if it's a standalone server (server that is not in the domain but is hosting accessible resources).

    http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
    Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • w^rl0rdw^rl0rd Member Posts: 329
    According to MS:


    Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Well, whatever. I quoted the information and posted the technet article.

    Account logon events are generated two different ways.

    1. When a domain account authenticates to a Domain Controller.
    2. When a local account authenticates to a local Security Accounts Manager database.

    Both scenarios are accounts logging on. One is just when you're in a workstation enviornment and another is when you're in a domain enviornment.

    Logon events are completely different. It's when you're accessing resources, not authenticating with user credientials.

    Again, I will post the quote directly from the following technet article:


    http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true
    Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • tawnostawnos Member Posts: 26 ■□□□□□□□□□
    Somewhat old thread, but i'm having the same problems with getting confused by this and i think it may be the test. The question reads:
    In a recent network break-in, the intruder logged on as a user with permission to read a set of confidential files. You suspect that the intruder used a brute force approach to discover the user's password. You have implemented a strong password policy and required all users to change their passwords. Now you want to institute an audit policy that will let you watch for a pattern indicating a brute force attack on domain accounts. Which event category will you audit on the domain controller to gather the necessary information?
    The question lists the correct answer as "Audit failed logon events" but from what i can tell it should be "Audit failed account logon events" instead, but as i think the tests provided with the microsoft books have made this error in other questions as well, i'm now so thoroughly confused that i can't tell if i'm just missing something important or if they have managed to randomly get the distinction between logon and account logon events wrong. Would the actual correct answer be "Audit failed account logon events"?
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    Now you want to institute an audit policy that will let you watch for a pattern indicating a brute force attack on domain accounts

    Since it specifically states domain accounts, then the correct answer would be to Audit Failed Account Logon Events.

    That is the kind of thing you have to look for in these Microsoft tests. The one or two lines of trickery.
  • cbriantcbriant Member Posts: 59 ■■□□□□□□□□
    I have come accross the same question in the Readiness Review Suite about account logon events and this was contrary to another testing program which had a similar question with the answer stating that account logon events occur when authentication takes place on a domain controller. This really confused me, but I am now led to believe that the question asked in the Readiness Review Suite (Which is included with the official Microsoft training kit) is inaccurate.
Sign In or Register to comment.