This article was previously published under Q140714
This article has been archived. It is offered "as is" and will no longer be updated.
Auditing log on and log off events on Windows NT Workstation or Serverversions 3.5 and 3.51 produces records in the Security Log. However, whatappear to be identical records in the Security Log may actually recordnetwork log on and log off events, interactive log on and log off events,initial network connections to a share, or disconnects from the share.
Although these events may be identical at the summary level in the SecurityLog, the details screen makes some distinctions among them.
Here are the Event IDs and type designations for the most commonlog on and log off events:
Interactive logon Event ID 528 Type 2 Interactive logoff Event ID 538 Type 2 Network logon Event ID 528 Type 3 Net Use connection Event ID 528 Type 3 Network logoff Event ID 538 Type 3 Net use disconnection Event ID 538 Type 3 Autodisconnect Event ID 538 Type 3
When a user logs on or off the computer at the Windows NT console, theevent is recorded in the Security Log. A successful log on event generatesEvent ID 528, Logon Type 2, and a User log off event generates Event ID538, Logon Type 2, where Logon Type 2 indicates an interactive log onevent. Double-click the event to bring up the Event Detail window, thencheck the Logon Type in the Description box.
The connection events are Logon Type 3, which indicates a network log onevent. A successful Net Use or File Manager connection or a successfuldirected Net View to a Windows NT share generates Event ID 528, asuccessful log on event of Logon Type 3. An event is only generated by theinitial connection from a particular user. Subsequent Net Views or Net Usesfrom the same user to the same computer do not generate any additionalevents unless the user has disconnected (or has been autodisconnected) fromall shares.
See the Audit Category Help file (auditcat.hlp) in the Windows NT 3.51 Resource Kit or otherwise in Windows NT Server and Workstation 4.0 Resource Kits for more information on audit event records.
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition, Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition