Audit Other Account Logon Events
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Examples can include the following:
Remote Desktop session disconnections
New Remote Desktop sessions
Locking and unlocking a workstation
Invoking a screen saver
Dismissing a screen saver
Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
Note
This condition could be caused by a network misconfiguration.
Access to a wireless network granted to a user or computer account
Access to a wired 802.1x network granted to a user or computer account
Event volume: Varies, depending on system use
Default: Not configured
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event message |
|---|---|
4649 |
A replay attack was detected. |
4778 |
A session was reconnected to a Window Station. |
4779 |
A session was disconnected from a Window Station. |
4800 |
The workstation was locked. |
4801 |
The workstation was unlocked. |
4802 |
The screen saver was invoked. |
4803 |
The screen saver was dismissed. |
5378 |
The requested credentials delegation was disallowed by policy. |
5632 |
A request was made to authenticate to a wireless network. |
5633 |
A request was made to authenticate to a wired network. |