Hello Fellow Thwackers,
I am trying to see if I can register locking and unlocking of workstations. This is more of an automated way to do a little grassroots testing, but wanted to see if it could be down. I know it is Microsoft-Windows-Security Auditing 4800/4801, but I am not sure that LEM is built to capture that information. Has anybody tried this? If so, what is in your bag of tricks to make this happen.
Thank you so much everybody. All the answers have been super helpful. I also used the ProviderSID as well (Microsoft-Windows-Security-Auditing 4800/4801) which with all your help was able to narrow down exactly what I was looking for.
Again, thank you all for your help
"All Hail Thwackers"
So, a super crappy thing to note here, in my experience to date the "lock" event only gets fired when the "unlock" event gets fired, and not when the workstation actually gets locked. I really hope this changed in Windows 10, but every other version I worked with didn't actually log the lock until it logged the unlock, and you see them together
As a requirement to getting those events, you will need to be running the LEM Agent on your workstations (workstations do not replicate "lock" and "unlock" events to the DCs). You'll also need to make sure that your Windows Audit Policy (whether in local or GPO) is setup to tell Windows to make those events.
• Other Logon/Logoff Events
If both of these things are true, than jhynds's answer is one of multiple ways to find those lock and unlock events.
LEM can detect the Logon Type - you can then create a filter/rule to capture Lock/Unlock events.
Equally you could create a filter based on the event ID's (4800/4801)
Hope that helps!
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.