During a single windows network logon, we are seeing a series of logon session ids and associated Logon/Logoff events

Anindya Roy - Cyglass-Nominet 1 Reputation point

We have a controlled test environment, where we have an AD user account performing login to a workstation.
We expect to see 1 logon security event ( 4624 ) associated with one logonId session in the AD security log for the above user account.
We do not expect to see any logoff event (4634 ) until the user explicitly logs off.

However, we are seeing a series of 4624, 4634 events. A pair of 4624 and 4634 are tied to one unique logonId.
It appears that in the background multiple logon sessions are being created and terminated within seconds which results in these logon/logoff events.

Our question is, why so many logon sessions are being created per second when the user has only performed a single login. ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,840 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,751 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,351 Reputation points

    Hello @AnindyaRoyCyglassNominet-6876

    You will need to check what kind of logon type is being produced, it will appear in the Events details. In the article below you can find the table per logon types and what are they referred to. For example, the user logon in the computer will the the Type 2, or Interative Logon, while other common logon types are 3 - for authenticating logon to network resources, or Type 5 - for services that are authenticating while running.


    Hope this helps with your query,

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments