question

Joe-4025 avatar image
0 Votes"
Joe-4025 asked DaisyZhou-MSFT answered

Computer Account Logon

Hi, i have a quick question. How often does a "computer account" (not to confused with a user logon) logon against a DC? I've been reviewing security logs and i've noticed quite frequent computer account logins (4624). Those logon events do not correlate to the "lastLogon" value of the Computer Account object


 Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
    
 Logon Type: 3
    
 New Logon:
  Security ID: Domain\PC-102$
  Account Name: PC-102$
  Account Domain: Domain
  Logon ID: 0x61fe8f7ee
  Logon GUID: {86e8f2f4-eb16-50e6-0470-11525ea0d275}
    
 Process Information:
  Process ID: 0x0
  Process Name: -
    
 Network Information:
  Workstation Name:
  Source Network Address: 192.168.253.66
  Source Port: 37776
    
 Detailed Authentication Information:
  Logon Process: Kerberos
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
    
 This event is generated when a logon session is created. It is generated on the computer that was accessed.
    
 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
 The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
    
 The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
    
 The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
 The authentication information fields provide detailed information about this specific logon request.
  - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  • Key length indicates the length of the generated session key. This will be 0 if no session key was requested.



windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SSengupta-4080 avatar image
0 Votes"
SSengupta-4080 answered

I shall also suggest you to go through:

4624(S): An account was successfully logged on.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello,
Thank you for posting in our Q&A forum.

Based on the test in my lab, if the domain computer is connected to the domain network.

And if we do the following actions(maybe it also includes other actions that I didn’t think of), the computer will logon:

1.Restart the domain computer
2.Shut down and start the domain computer
3.Update domain group policy about comuter (such as run gpupdate /force or gpupdate /force /target:computer on domain computer manually, or the domain computer update domain GPO in the background)
12353-update.png
4.Establish a secure channel or update a secure channel between the domain computer and domain controller.

I think it is "LastLogon" of the domain computer, it is only updated on one DC, that means this attribute is not replicated. We can get the "LastLogon" about computers in the domain with command on every DC in the domain and the lastest date value is the "LastLogon" value:

**Get-ADComputer -Filter -Properties lastlogon,lastlogondate,lastlogontimestamp | select -Property name,lastlogondate,lastlogontimestamp,@{n="lastlogon";e={[datetime]::FromFileTime($_.lastlogon)}}*

For example, I have two DCs in the domain (Win10-1809):

12315-last4.png

For more information about secure channel, we can refer to the link below.

Detailed Concepts: Secure Channel Explained
https://social.technet.microsoft.com/wiki/contents/articles/24644.detailed-concepts-secure-channel-explained.aspx?Sort=MostUseful&PageIndex=1



update.png (21.8 KiB)
last4.png (113.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joe-4025 avatar image
0 Votes"
Joe-4025 answered

Hi Daisy,


Thanks so much for the response and detailed info. Very helpful.


So tested this a demo environment with a single DC. The events on the single DC are still not aligned with the "LastLogon" value


@DSPatrick and @SSengupta-4080 the provided links are for "user" logon events "contoso\administrator", not for a computer logon.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hi Jeo-4025,
How do you test it?

I did test before in my lab:
1.Logon one domain-joined client, and run gpupdate /force or restart machine.
2.Then check event ID 4624 on this domain client or run the command above on DC, I can see the date/time is the time when I run gpupdate /force or restart machine.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Joe-4025 avatar image
0 Votes"
Joe-4025 answered

Hi Daizy,


Ok i retested this. You're right. The "LastLogon" value is updated when GPupdating or rebooting. The Gpupdate and Reboot also generates a 4768 "Kerberos Authentication Service" event for the Computer object. When a user logs on, then i get a 4768 "Kerberos Authentication Service" event for the User object AND a 4624 "Logon" event for both the User And Computer object. If the user provides wrong credentials, then i only get a 4771 "Kerberos Authentication Service" event for the User object. All the mentioned event are on the DC of course. Is that what im supposed be seeing? Can you elaborate on the 4624 event log for the Computer object?

I wish Microsoft has this documented somewhere...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hi,
Is that what im supposed be seeing?

>>Yes, I think it is right.

Can you elaborate on the 4624 event log for the Computer object?

For computer object, I understand: it is the time that domain computer connected to DC and computer needs DC authenticate to the computer credential and this authentication is successful.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hi
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.