This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post
ketchums
Level 9
‎06-29-2016 04:12 PM

Registering locking and unlocking of workstations

Hello Fellow Thwackers,

I am trying to see if I can register locking and unlocking of workstations.  This is more of an automated way to do a little grassroots testing, but wanted to see if it could be down.  I know it is Microsoft-Windows-Security Auditing 4800/4801, but I am not sure that LEM is built to capture that information.  Has anybody tried this?  If so, what is in your bag of tricks to make this happen.

Help????

Labels (2)
Labels
Reply
5 Replies
ketchums
Level 9
‎06-30-2016 01:43 PM

Thank you so much everybody.  All the answers have been super helpful.  I also used the ProviderSID as well (Microsoft-Windows-Security-Auditing 4800/4801) which with all your help was able to narrow down exactly what I was looking for.

Again, thank you all for your help

"All Hail Thwackers"

Reply
colby
Product Manager
Product Manager
‎06-30-2016 12:06 PM

So, a super crappy thing to note here, in my experience to date the "lock" event only gets fired when the "unlock" event gets fired, and not when the workstation actually gets locked. I really hope this changed in Windows 10, but every other version I worked with didn't actually log the lock until it logged the unlock, and you see them together

Reply
curtisi
Level 15
‎06-30-2016 10:27 AM

As a requirement to getting those events, you will need to be running the LEM Agent on your workstations (workstations do not replicate "lock" and "unlock" events to the DCs).  You'll also need to make sure that your Windows Audit Policy (whether in local or GPO) is setup to tell Windows to make those events.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800

Category
• Subcategory		Logon/Logoff
Other Logon/Logoff Events
TypeSuccess

If both of these things are true, than jhynds​'s answer is one of multiple ways to find those lock and unlock events.

Reply
itengineer
Level 12
In response to curtisi
‎10-08-2020 08:13 PM

Without enabling that event ID GPO, does the events logged in Local PC or domain controllers?

0 Kudos
Reply
jhynds
Product Manager
Product Manager
‎06-30-2016 03:43 AM

Hey,

LEM can detect the Logon Type - you can then create a filter/rule to capture Lock/Unlock events.

Lock:

pastedImage_0.png

Filter Conditions:

pastedImage_2.png

Unlock:

pastedImage_1.png

Filter Conditions:

pastedImage_3.png

Equally you could create a filter based on the event ID's (4800/4801)

Hope that helps!

Reply

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.