Event id 4634 logon type 2

19.02.2021 By Gubar

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. The dark mode beta is finally here. Change your preferences any time.

4624(S): An account was successfully logged on.

Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. I am attempting to get this PS script going to pull the Security log from multiple machines and only search for the Event ID of and only show me the logs that contain "Logon Type: 2" or interactive logon.

I have everything else working except for the part of obtaining only those logs for interactive logon's only. Here is a snip of my script, if anyone has any idea how to get this going it would be greatly appreciated. If I take the 2 out of "Logon Type" it works and I get everything, but if I have anything after that it does not kick any errors, but it doesn't yield results either. Yes, I have verified that I have interactive logon events during my filtered timeframe.

To filter out successful logon events of interactive logon type for today:. FYI in case anyone else ever attempts to do this same thing, it was looking for extra spaces after "Logon Type:" It wanted it to look like it does in the log iteself, "Logon Type: 2" I am not sure how to get around this in powershell, but putting it that way did the trick for me. I worked on several approaches to this problem.

I thought they might be useful since identifying logon types is important. The results are appended to a csv. The modified code would look like this:. Additionally, if the PowerShell script needs to query older operating systems that still use classical event logs, the Get-EventLog commandlet can be likewise employed with the same pattern as shown here:.

Learn more. Asked 9 years, 4 months ago. Active 1 month ago. Viewed 17k times. JasonMArcher Tim D. Active Oldest Votes. It did not come through above, it appears to be four tabs between "Logon Type:" and the 2. Dec 9 '10 at Clark Froebe.

Logon type – what does it mean?

Clark Froebe Clark Froebe 11 1 1 bronze badge. Peter Peter 1 1 silver badge 9 9 bronze badges. Sign up or log in Sign up using Google.You can tie this event to logoff events and using Logon ID. Identifies the account that requested the logon - NOT the user who just logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the sytem.

This is a valuable piece of information as it tells you HOW the user just logged on:. Logon Type Description 2 Interactive logon at keyboard and screen of system 3 Network i. Most often indicates a logon to IIS with "basic authentication" See this article for more information.

This logon type does not seem to show up in any events. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

Anonymous Anonymous COM impersonation level that hides the identity of the caller.

Wp content themes writy 5quxo7bj schneider ns mccb catalogue pdf

Calls to WMI may fail with this impersonation level. Default Default impersonation. Delegate Delegate-level COM impersonation level that allows objects to permit other objects to use the credentials of the caller. This level, which will work with WMI calls but may constitute an unnecessary security risk, is supported only under Windows Identify Identify-level COM impersonation level that allows objects to query the credentials of the caller. Impersonate Impersonate-level COM impersonation level that allows objects to use the credentials of the caller.

This is the recommended impersonation level for WMI calls. The user who just logged on is identified by the Account Name and Account Domain.

You can determine whether the account is local or domain by comparing the Account Domain to the computer name. If they match, the account is a local account on that system, otherwise a domain account. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers. An account was successfully logged on.Below is the audit policy. How can I get Type 2 and 10 to be logged on the DCs? To get logon type 2 event, please try to perform a local logon, for example, use Domain Admin account to log onto one DC, then find Event on this DC.

I am looking for the workstations on the network to log the Logon Types 2,10 on the Domain Controllers. Is there anything I need to configure on the workstation to achieve this? This site uses cookies for analytics, personalized content and ads.

By continuing to browse this site, you agree to this use. Learn more. Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums. Answered by:.

Windows Server.

event id 4634 logon type 2

Sign in to vote. Tuesday, October 28, AM. Hi, Logon type 2 indicates Interactive logon and logon type 10 indicates Remote Interactive logon. Best Regards, Amy. Wednesday, October 29, AM.You will typically see both and events when logoff procedure was initiated by user. Logon IDs are only unique between reboots on the same computer. Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user.

Project ozone 3 hypnotizd

The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers. Formats vary, and include the following:. The table below contains the list of possible values for this field:.

You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. Event Versions: 0. Event Viewer automatically tries to resolve SIDs and show the account name.

If the SID cannot be resolved, you will see the source data in the event. The table below contains the list of possible values for this field: Logon Type Logon Title Description 2 Interactive A user logged on to this computer.

Sniff ip address using wireshark

The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext.

The new logon session has the same local identity, but uses different credentials for other network connections. The domain controller was not contacted to verify the credentials. If a particular Logon Type should not be used by a particular account for example if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative groupmonitor this event for such actions.

Related Articles Is this page helpful? Yes No. Any additional feedback? Skip Submit. Send feedback about This product This page.This event generates when a logon session is created on destination machine. It generates on the computer that was accessed, where the session was created.

event id 4634 logon type 2

Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database.

Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.

For more information about SIDs, see Security identifiers. Formats vary, and include the following:. Restricted Admin mode was added in Win8. SecurityAnonymous displayed as empty string : The server process cannot obtain identification information about the client, and it cannot impersonate the client. SecurityIdentification displayed as " Identification " : The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client.

This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context. SecurityImpersonation displayed as " Impersonation " : The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems.

event id 4634 logon type 2

This is the most common type. SecurityDelegation displayed as " Delegation " : The server process can impersonate the client's security context on remote systems. Valid only for NewCredentials logon type. It is a bit integer number used to identify resources, activities or instances. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.

Other packages can be loaded at runtime. The most common authentication packages are:. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.

Latest qsat software 2018

Transmitted services are populated if the logon was a result of a S4U Service For User logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user — most commonly done by a front-end website to access an internal resource on behalf of a user.

Possible values are:. Typically it has bit or 56 bit length. To monitor for a mismatch between the logon type and the account that uses it for example, if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative groupmonitor Logon Type in this event. If your organization restricts logons in the following ways, you can use this event to monitor accordingly:. If a specific account, such as a service account, should only be used from your internal IP address list or some other list of IP addresses.

If a particular version of NTLM is always used in your organization.I am a domain admin in a primarily MS shop. I have installed Spiceworks to monitor our network and used my account to monitor Windows machines. Probably not the best thing to do in hindsight My supervisor is now reporting that I have been accessing his machine and has taken the issue directly to HR. He lists Event ID's and as evidence that I am accessing his machine.

However, I have not accessed his machine in any malicious manner. Is it possible that Spiceworks could generate these security events in his logs?

Event ID 4634 logoff – An account was logged off

I need to prove that these events are not intentional. Also, these events have appeared on days that I am not in the office. If you are running a Spiceworks scan with your own account, or have Spiceworks running as a service with your credentials, then perhaps you might want to try using another account.

event id 4634 logon type 2

As the documentation says on the Accounts pageSpiceworks will use the account that you've set up as the credentials to connect to the devices it scans. Look at the logon type, it should be 3 network logon which should include a Network Information portion of the event that contains a workstation name where the login request originated.

An account was successfully logged on. What are the possible services, processes, programs etc that could generate these event ID's on their machine? My account information is tied to several different servers programs etc across the entire domain. Did your supervisor come to you first with this or go directly to HR? I think the best you can do is to document when you had scans set to run, look at the last time his machine was scanned and try to match those up.

This is just the best advice I can offer, because of the potential seriousness of this I am compelled to attach a disclaimer.

The information contained in this post is for information purposes only, and may not apply to your situation. The author provides no warranty about the content or accuracy of content enclosed.

(Event Viewer) Event ID 4725 - A user account was disabled

Information provided is subjective. Keep this in mind when reviewing this guide. The Author shall not be liable for any loss of profit or any other commercial damages resulting from use of this guide. All links are for information purposes only and are not warranted for content, accuracy, or any other implied or explicit purpose.

To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks. Any insight would be greatly appreciated. Best Answer. Ghost Chili. Popular Topics in Spiceworks General Support. Spiceworks Help Desk. The help desk software for IT. Track users' IT needs, easily, and with only the features you need.

This topic was created during version 5. The latest version is 7. Thai Pepper. Brad Aug 5, at UTC. This topic has been locked by an administrator and is no longer open for commenting.

Read these nextIn my previous postI explained how to display logon type for logon events in Security log and described meaning of some values.

Here I will give you more information about logon types. The logon type field indicates the kind of logon that occurred. The most common types are 2 interactive and 3 network. A user or computer logged on to this computer from the network. Commonly it appears when connecting to shared resources shared folders, printers etc. Logon type 4: Batch. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

This event type appears when a scheduled task is about to be started. When Windows starts a service which is configured to log on as a user, Windows will create a new logon session for this service. If it uses special accounts, e. The opened logon session will be closed when the service stops and a logoff event will be registered.

Subscribe to RSS

A user logged on to this computer from the network. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext. This event is generated when a password comes from the net as a clear text. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

In this case you can run Event Log Explorer normally using your current credentialsbut specify special credentials for network connections. On WORK computer you type:. This will run Event Log Explorer even if you provided a wrong password.

This happens because it uses a cloned current credentials to run the program a new logon session will be opened. Event Log Explorer will try to open resource file with event descriptions.

Logon type RemoteInteractive. A user logged on to this computer remotely using Terminal Services or Remote Desktop. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. By default Windows caches 10 or 25 last logon credentials it depends on the operating system and can be increased up to A user logged on to this computer. Logon type 5: Service.

A service was started by the Service Control Manager.