D
djc
Well, in theory I understand the difference between logon/logoff and account
logon/logoff. I have read about it in books and have studied the subject
from practice test questions for MS certifications. I can honestly tell you
I can get every question right and still be completely confused when I look
at a security log!
account logons: these are 'domain accounts' and get logged on whatever DC
did the authentication. These occur when logging on interactively to a any
computer in the domain.
logons: these are local account logons and get logged on the the machine
where the logon took place, could be DC or any other server or workstation.
They occur when logging on interactively OR when connecting remotely via
resource share.
I am aware that during an interactive logon an account logon gets logged on
the DC, a logon gets logged on the DC (because scripts etc.. are accessed)
and a logon gets logged on whatever machine the interactive logon took
place.
just getting that out because when ANY question related to this gets asked
thats usually the answer you get whether thats what your asking or not.
based on what I read and stated above its very simple. The security logs
tell another story though.
1) I DO see account logon events logged on non-DC computers?
2) when taking the simple rules as layed out in books and test questions you
would think it would be easy to get an answer to the fundemental question
that is the purpose of this whole thing to begin with: A LOGON
SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE? Now I can handle the fact that
one interactive logon triggers 3 event log entries because that makes sense.
But I see WAY more than 3 entries triggered by what I can only assume was 1
real event. But I don't know.
what does Pre-authentication failed: ID 675 mean?
what does Authentication Ticket Request Failed: ID 676 mean?
what does Service Ticket Request Failed: ID 677 mean?
and there are several more! yes, I know, kerberos. I understand the kerberos
process. But I don't know how to look at a security log and answer the
simple question of A LOGON SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE?
anyone care to take a stab at explaining this? I am really frustrated at the
fact that I can get every test question related to this right but still am
not able to do anything usefull with it. I know I am making myself look bad
but thats where I'm at. Yep, I'm an MCSA 2000: Security! funny huh.
logon/logoff. I have read about it in books and have studied the subject
from practice test questions for MS certifications. I can honestly tell you
I can get every question right and still be completely confused when I look
at a security log!
account logons: these are 'domain accounts' and get logged on whatever DC
did the authentication. These occur when logging on interactively to a any
computer in the domain.
logons: these are local account logons and get logged on the the machine
where the logon took place, could be DC or any other server or workstation.
They occur when logging on interactively OR when connecting remotely via
resource share.
I am aware that during an interactive logon an account logon gets logged on
the DC, a logon gets logged on the DC (because scripts etc.. are accessed)
and a logon gets logged on whatever machine the interactive logon took
place.
just getting that out because when ANY question related to this gets asked
thats usually the answer you get whether thats what your asking or not.
based on what I read and stated above its very simple. The security logs
tell another story though.
1) I DO see account logon events logged on non-DC computers?
2) when taking the simple rules as layed out in books and test questions you
would think it would be easy to get an answer to the fundemental question
that is the purpose of this whole thing to begin with: A LOGON
SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE? Now I can handle the fact that
one interactive logon triggers 3 event log entries because that makes sense.
But I see WAY more than 3 entries triggered by what I can only assume was 1
real event. But I don't know.
what does Pre-authentication failed: ID 675 mean?
what does Authentication Ticket Request Failed: ID 676 mean?
what does Service Ticket Request Failed: ID 677 mean?
and there are several more! yes, I know, kerberos. I understand the kerberos
process. But I don't know how to look at a security log and answer the
simple question of A LOGON SUCCEEDED/FAILED. WHAT USERNAME? FROM WHERE?
anyone care to take a stab at explaining this? I am really frustrated at the
fact that I can get every test question related to this right but still am
not able to do anything usefull with it. I know I am making myself look bad
but thats where I'm at. Yep, I'm an MCSA 2000: Security! funny huh.