If you want to get down in the weeds there's also the " Interactive logon: Require Domain Controller authentication to unlock" policy setting that will generate security events. :-)
If you desire good background on this particular facet of auditing, Erik Fitgerald was a PM on the team that developed the new audit subsystem and while he wasn't a prolific blogger but what he wrote was most excellent. Case in point- http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, January 18, 2012 1:53 PM To: NT System Admin Issues Subject: [dkim-failure] Re: Last Logon On Wed, Jan 18, 2012 at 1:32 PM, Jonathan Link <[email protected]> wrote: > Also, doesn't a lock/unlock count as a logoff/logon? I'm usre about > the unlock being a login event. Not sure about the lock... As far as I can tell, the console locking is not a logon or logoff event. It may be logged in the Security log (depending on the version of Windows, Service Pack, configured options, phase of the moon, etc.), but it doesn't result in a logon session being created or destroyed. Unlocking the console results in a logon *and* a logoff event. Apparently Windows actually creates a logon session object just to verify the credentials provided. So you get a logon event for that. Then it immediately destroys that logon session, so you get a logoff event. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
