audit logon

[Terence]

Hello,

What is the difference between 'Audit Account logon
events' and 'Audit logon events' inside domain security
policy?

thanks for help!
Terence

 

[Steven L Umbach]

Audit account logon events are recorded on the computer where a user logs on
authenticating to either a local sam or Active Directory. Logon events are
recorded whenever a user accesses a computer/resource with their
credentials. For instance, if you log onto a domain, the authenticating
domain controller will record an account logon event in it's security log if
auditing for it is enabled. However if you access a server with those domain
credentials, a logon event would be recorded on that server if it is
enabled. When you log onto a domain at a domain computer, you are actually
logging onto the domain and not to that computer, and no account log on
event would be recorded on that computer but a logon event would. Hope that
helps. -- Steve

 

[Eric Fitzgerald [MSFT]]

In addition, Logon/logoff events have more information, and come in pairs
(logon<--->logoff). Account logons don't have associated logoff events.

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.