There is a subtle, but important to know, difference when it comes to trying
to track down account lockouts or hack attempts. Account logon events are
used to record when a user logs onto a computer. The event is recorded on
the computer that authenticated the user - the actual computer [local sam]
if logging onto a local machine account or the domain controller that
validated a domain user logging into the domain. An account logon event will
not be recorded on the domain computer where a domain user logs onto the
domain but a logon event could be. Logon events are recorded where a user
uses their credentials such as accessing a domain file server in which case
a type 3 netwok logon would be recorded in the security log of the file
server showing the name and computer used by the domain user. See the links
below for more info including how to interpret the Event ID's. --- Steve
[bored at work]
http://www.microsoft.com/resources/...dowsServ/2003/standard/proddocs/en-us/515.asp
http://tinyurl.com/2zg73 -- shorter in case of wrap.
http://www.microsoft.com/resources/...dowsServ/2003/standard/proddocs/en-us/518.asp
http://tinyurl.com/34osj -- shorter link in case of wrap.
