Audit Query for 70-290 Exam
surfthegecko
Member Posts: 149
Hi,
I dont know why im finding this particular aspect of auditing some confusing but I am.
I was hoping somebody could confirm my final attempt at understanding the below, or explain the difference.
I am trying to find out the actual difference between the following 2 Audit entry types:
Audit Account Logon Events & Audit Logon Events
The way I understand it is that 'Audit Account Logon Events' are when userA logs onto their desktop as a domain user and the succesful/failed attempt gets logged within the Domain Controllers Security Event Log
The Audit Logon Events however is when userA attempts to access resources via file share on a server or another desktop/laptop and a success/failure entry is placed into the Security Log of the machine that is hosting the resource.
Can somebody confirm if that is correct, or if im completely barking up the wrong teapot.
Thanks
Nick
I dont know why im finding this particular aspect of auditing some confusing but I am.
I was hoping somebody could confirm my final attempt at understanding the below, or explain the difference.
I am trying to find out the actual difference between the following 2 Audit entry types:
Audit Account Logon Events & Audit Logon Events
The way I understand it is that 'Audit Account Logon Events' are when userA logs onto their desktop as a domain user and the succesful/failed attempt gets logged within the Domain Controllers Security Event Log
The Audit Logon Events however is when userA attempts to access resources via file share on a server or another desktop/laptop and a success/failure entry is placed into the Security Log of the machine that is hosting the resource.
Can somebody confirm if that is correct, or if im completely barking up the wrong teapot.
Thanks
Nick
Comments
-
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
It looks like you're barking up the right teapot
The only thing I might change is that you shouldn't limit logon events to just file shares; I would think of it as access resources. I think those will also be triggered when doing things like accessing IIS with integrated Windows authentication.
This explains it pretty well: http://geekswithblogs.net/woodenshoe/archive/2005/08/30/51642.aspx -
surfthegecko
Member Posts: 149
I only put file shares as an example. Its good to know I am on the right track though, I can now knock another topic on the head.
Nice one. Thanks dynamik.
:P -
surfthegecko
Member Posts: 149
Just read that blog, clears things up some what.
I didnt realise either that technically the Audit Logon Event will also leave an entry in the local machine once logged onto.
So would I be right in assuming that if UserA logs onto a machine connected to a domain, it will generate an 'Audit Logon Event' on the local machine as well as an 'Audit Account Logon Event' on the DC?
Last question on this topic honest.
-
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Yea, if you follow that first link in that article, it goes a little more in-depth: http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx
Also, when in doubt, lab it up