Auditing account logon events vs. logon events

w^rl0rd · September 2006

OK, I thought I understood this until I took a practice exam and got it wrong.

If I understand correctly, logon events occur when you log onto your workstation. Account logon events occur on DCs when you log onto the network.

Am I missing something here?

If I am auditing account logon events in the Default Domain Controller GPO and read the security log on my DC, it should show events generated when workstations authenticate into the domain right?

I'm taking an MS Press practice test "powered by MeasureUp" and it specifically says in the answer "Account logon events occur on the local system where the user is logging on, not on the domain controller."

I've heard of MS printing the wrong info in their own books before but not practice exams.

Cessation · September 2006

w^rl0rd wrote:

OK, I thought I understood this until I took a practice exam and got it wrong.

If I understand correctly, logon events occur when you log onto your workstation. Account logon events occur on DCs when you log onto the network.

Am I missing something here?

Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log. Account logoff events are not generated.
(http://technet2.microsoft.com/WindowsServer/en/library/d8fc798c-1e77-4043-b59c-971b4961d85a1033.mspx?mfr=true)

Looks to me like you have it right.

You know its funny because I was confused by the same test I think. Ha. GJ Microsoft

Cessation · September 2006

My exam is less than 24 hours away.. Im scared =P :P

Smallguy · September 2006

you have it right....ms can make mistakes on there test software

I know that the 291 software has the ability to perform updates... have u looked there

also there could be an erratta on the MS site.

Smallguy · September 2006

Cessation wrote:

My exam is less than 24 hours away.. Im scared =P :P

you can be concerned or worried but don't be scared I'm sure you worked hard.

The certs can be tricky but really I found 290 easier thna 270

good luck you'll be fine

Cessation · September 2006

Smallguy wrote:

Cessation wrote:

My exam is less than 24 hours away.. Im scared =P :P

you can be concerned or worried but don't be scared I'm sure you worked hard.

The certs can be tricky but really I found 290 easier thna 270

good luck you'll be fine

Really? that would be sweet if the 290 was easier. Ha.
Not really scared though. Just get a bit jittery when test time comes around thats all.

famosbrown · September 2006

Good luck!! I will probably be taking it next week. Let us know how you do.

Famos

royal · September 2006

The above explanation about regular logon events isn't actually correct. When a local account logs on locally it's actually an account logon. When a domain user authenticates to a DC, it's an account logon.

A regular logon event occurs when a domain user accesses resources on a member server, it's a logon event on that member server. Everytime you access resources on a member server, you need a kerberos service ticket. When that member server checks your access and grants you access, it'll register a logon event on that member server.

Logon events can work differently using other authentication protocols such as NTLM or if it's a standalone server (server that is not in the domain but is hosting accessible resources).

http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true

Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller.

w^rl0rd · September 2006

According to MS:

Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. Logon events are generated when a local user is authenticated on a local computer. The event is logged in the local security log.

royal · September 2006

Well, whatever. I quoted the information and posted the technet article.

Account logon events are generated two different ways.

1. When a domain account authenticates to a Domain Controller.
2. When a local account authenticates to a local Security Accounts Manager database.

Both scenarios are accounts logging on. One is just when you're in a workstation enviornment and another is when you're in a domain enviornment.

Logon events are completely different. It's when you're accessing resources, not authenticating with user credientials.

Again, I will post the quote directly from the following technet article:

http://technet2.microsoft.com/WindowsServer/en/library/e104c96f-e243-41c5-aaea-d046555a079d1033.mspx?mfr=true

Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity.

tawnos · May 2007

Somewhat old thread, but i'm having the same problems with getting confused by this and i think it may be the test. The question reads:

In a recent network break-in, the intruder logged on as a user with permission to read a set of confidential files. You suspect that the intruder used a brute force approach to discover the user's password. You have implemented a strong password policy and required all users to change their passwords. Now you want to institute an audit policy that will let you watch for a pattern indicating a brute force attack on domain accounts. Which event category will you audit on the domain controller to gather the necessary information?

The question lists the correct answer as "Audit failed logon events" but from what i can tell it should be "Audit failed account logon events" instead, but as i think the tests provided with the microsoft books have made this error in other questions as well, i'm now so thoroughly confused that i can't tell if i'm just missing something important or if they have managed to randomly get the distinction between logon and account logon events wrong. Would the actual correct answer be "Audit failed account logon events"?

Silver Bullet · May 2007

Now you want to institute an audit policy that will let you watch for a pattern indicating a brute force attack on domain accounts

Since it specifically states domain accounts, then the correct answer would be to Audit Failed Account Logon Events.

That is the kind of thing you have to look for in these Microsoft tests. The one or two lines of trickery.

cbriant · May 2007

I have come accross the same question in the Readiness Review Suite about account logon events and this was contrary to another testing program which had a similar question with the answer stating that account logon events occur when authentication takes place on a domain controller. This really confused me, but I am now led to believe that the question asked in the Readiness Review Suite (Which is included with the official Microsoft training kit) is inaccurate.

Auditing account logon events vs. logon events

Comments