Audit logon events

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Vista

Audit logon events


This security setting determines whether to audit each instance of a user logging on to or logging off from a computer.

Account logon events are generated on domain controllers for domain account activity and on local computers for local account activity. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. For more information about account logon events, see Audit account logon events.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a logon attempt succeeds. Failure audits generate an audit entry when a logon attempt fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: Success.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

For specific instructions about how to configure auditing policy settings, see Define or modify auditing policy settings for an event category.

Logon Events Description


A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below.


Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.


Logon failure. A logon attempt was made user account tried to log on outside of the allowed time.


Logon failure. A logon attempt was made using a disabled account.


Logon failure. A logon attempt was made using an expired account.


Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer.


Logon failure. The user attempted to log on with a type that is not allowed.


Logon failure. The password for the specified account has expired.


Logon failure. The Net Logon service is not active.


Logon failure. The logon attempt failed for other reasons.


  • In some cases, the reason for the logon failure may not be known.


The logoff process was completed for a user.


Logon failure. The account was locked out at the time the logon attempt was made.


A user successfully logged on to a network.


Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel.


A data channel was terminated.


Main mode was terminated.


  • This might occur as a result of the time limit on the security association expiring (the default is eight hours), policy changes, or peer termination.


Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated.


Main mode authentication failed because of a Kerberos failure or a password that is not valid.


IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid.


A failure occurred during an IKE handshake.


Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client.


Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests.


Notification message that could indicate a possible denial-of-service attack.


A user initiated the logoff process.


A user successfully logged on to a computer using explicit credentials while already logged on as a different user.


A user has reconnected to a disconnected terminal server session.


A user disconnected a terminal server session without logging off.


  • This event is generated when a user is connected to a terminal server session over the network. It appears on the terminal server.

When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.

Logon type Logon title Description



A user logged on to this computer.



A user or computer logged on to this computer from the network.



Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.



A service was started by the Service Control Manager.



This workstation was unlocked.



A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).



A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.



A user logged on to this computer remotely using Terminal Services or Remote Desktop.



A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

For more information about security events, see Security Events on the Microsoft Windows Resource Kits Web site.

For more information, see: