3 Replies Latest reply on Dec 3, 2012 4:06 PM by nicole pauls

    Can't find interactive logons

    tmart

      So I'm trying to determine how many times a user has interactively logged in over the past couple weeks but when I use nDepth to show all "machinelogons" and "userlogons" for this user I just get a few thousand   "logontype: windows: network" , "logontype: windows: network cleartype logon" , and "logontype: (blank space)". 

       

      I refuse to believe this user has never logged in interactively, so where do I find his actual interactive logons?   Is there place where I can view the logon type # in LEM because right now it is giving text values for "logontype" instead of the numeric values 2-11...

       

       

      Also, why is there hundreds of userlogons that have a blank logontype, what could be causing LEM to be unable to determine the logontype?  Whenever the logontype is blank the authpackage is MICROSOFT_AUTHENTICATION_PACKAGE_V1_0.

        • Re: Can't find interactive logons
          nicole pauls

          Do you have agents on the workstation? Interactive logons are only logged locally, not at the domain level. All you'll see at the domain are the network logons.

           

          My guess is the auth package ones are via something like Exchange, something that's separate from domain auth or connections to file shares/servers.

            • Re: Can't find interactive logons
              tmart

              So even though they are logging into a domain the domain controller does not log these interactive logons?

                • Re: Can't find interactive logons
                  nicole pauls

                  If you are logging in directly to the DC (RDP, console) it will log as interactive. If you're logging in to a workstation joined to the domain that DC serves, the "interactive" logon happens at the workstation, then a bunch of authentication/network logons happen to the DCs. It's easier than it used to be to tell where users are logging on from, but the actual "interactive" logon happens at the endpoint.

                   

                  You could run through a quick test by turning on the audit policy on your workstation and doing a test run - you don't even need to send to LEM, just look for the logon event in the event log. Or, log in interactively to the DC (RDP/console) and look for the interactive logon (RDP = remote interactive).

                  1 of 1 people found this helpful