During a single windows network logon, we are seeing a series of logon session ids and associated Logon/Logoff events

Question

We have a controlled test environment, where we have an AD user account performing login to a workstation.
We expect to see 1 logon security event ( 4624 ) associated with one logonId session in the AD security log for the above user account.
We do not expect to see any logoff event (4634 ) until the user explicitly logs off.

However, we are seeing a series of 4624, 4634 events. A pair of 4624 and 4634 are tied to one unique logonId.
It appears that in the background multiple logon sessions are being created and terminated within seconds which results in these logon/logoff events.

Our question is, why so many logon sessions are being created per second when the user has only performed a single login. ?

Answer 1

Hello @AnindyaRoyCyglassNominet-6876

You will need to check what kind of logon type is being produced, it will appear in the Events details. In the article below you can find the table per logon types and what are they referred to. For example, the user logon in the computer will the the Type 2, or Interative Logon, while other common logon types are 3 - for authenticating logon to network resources, or Type 5 - for services that are authenticating while running.

https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

Hope this helps with your query,

--
--If the reply is helpful, please Upvote and Accept as answer--