A user logs on to a system to gain access to the computer and the files on the network. In Windows, there are several ways a logon can occur locally, and remotely. System admins need to keep track of the logon types to be abreast of any security vulnerabilities in the organization's network.
The following is a list of the types of logons, along with their codes, found in the Windows security event log:
-
Interactive (Logon Type 2)
This type of logon happens when a user logs on to the computer. 
-
Network (Logon Type 3)
This type of logon occurs when a user or computer logs on to the computer from the network.
-
Batch (Logon Type 4)
This type of logon is used by batch servers. Scheduled tasks are executed on behalf of a user without human intervention.
-
Service (Logon Type 5)
This type of logon is used for services and service accounts that logon to run a service.
-
Unlock (Logon Type 7)
This type of logon occurs when a user unlocks their machine.
-
Network Cleartext (Logon Type 8)
This type of logon occurs when a user or computer logs on to the computer from the network, and the password is sent in clear text.
-
NewCredentials (Logon Type 9)
This type of logon occurs when a user uses the 'RunAs' command to run an application.
-
RemoteInteractive (Logon Type 10)
This logon type occurs when a user remotely accesses the computer through RDP applications such as Remote Desktop, Remote Assistance or Terminal Services.
-
CachedInteractive (Logon Type 11)
This type of logon is recorded when a user logons to the computer without having to contact the domain controller, since the network credentials are locally stored on the computer.
Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.
Auditing logon activity with ADAudit Plus
ADAudit Plus user logon monitoring and auditing capabilities provide real-time activity reports. Administrators can centrally audit, monitor and view pre-configured reports and schedule reports to be delivered to their inbox.
To obtain Logon Reports,
- Log in to the ADAudit Plus web console.
- Click the Reports tab → Local Logon-Logoff.
Select the report of your choice, and see information about currently logged on users, logon failures, computers startup and shutdown time, and more.
Have a glimpse of some of the ADAudit Plus reports by viewing the screenshots of (i) Logon Activity report, (ii) Currently Logged On Users report, and (iii) Computer Startup and Shutdown report, below.
A user logon activity report on ADAudit Plus
The currently logged on users report in ADAudit Plus
Computers' startup and shutdown time report in ADAudit Plus
In these reports, you can obtain information such as:
- Who logged on to the workstation?
- When did the user last logon to the workstation?
- What kind of logon was it?
- When was the workstation last started up and shutdown?
About ADAudit Plus
ADAudit Plus is a real-time Active Directory auditing tool that offers 200+ reports and email alerts, including various logon and logoff reports. The different ways to logon to systems can be distinguished by ADAudit Plus, and this can help the organization understand employee behavior with regards to IT, and thwart insider and outsider attacks. It is also a valuable solution for companies that need to adhere to compliance mandates.
Managing user logon activity need not be complicated at all. Try ADAudit Plus for auditing all your workstations.
✕
Nativeauditing becominga little too much?
Try ADAudit Pluslogin monitoring tool to audit, track, and respond to malicious login and logoff actionsinstantaneously.
Try ADAudit Plus for free
FAQs
Logon Types. Windows supports different types of logon sessions. These logon types describe the ways in which users can log on to a system—for example, through the system's local console (interactive) or through a Remote Desktop session (remote interactive). You can use local or domain accounts with each logon type.
What is logon type 4 in Active Directory? ›
Logon type 4: Batch. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. This event type appears when a scheduled task is about to be started.
What is logon type 3 in Active Directory? ›
Logon type 3 denotes a network logon. A network logon or any other logon can take place only after an interactive logon authentication has taken place, as the same credentials used for an interactive logon are applied.
What is logon type 10 in Active Directory? ›
RemoteInteractive (Logon Type 10)
This logon type occurs when a user remotely accesses the computer through RDP applications such as Remote Desktop, Remote Assistance or Terminal Services.
What is a type 5 logon? ›
Windows logs a type 5 logon when a service starts and the service account logs into the local system. This event is typically initiated by the Service Control Manager, responsible for handling different services on the system.
What is logon type 7? ›
Logon type 7, as I've read, indicates that is an "[u]nlock (i.e. unnattended workstation with password protected screen saver)".
Is logon type 8 bad? ›
Logon Type 8 means network logon with clear text authentication. The only scenario where we've observed logon type 8 is with logons to IIS web-sites via Basic Authentication. Don't immediately sound the alarms if you see logon type 8 since most Basic Authentication is wrapped up inside an SSL session via https.
What is login type 9? ›
Logon Type 9 : NewCredentials
Logon Type 9 event is generated when a user leverages RunAs command with /netonly option to start a program. It will create a new logon session with the same local identity but with different credentials. This is ideally used for access network resources with a different user.
What are Active Directory logs? ›
Active Directory records events to the Directory Services or LDS Instance log in Event Viewer. You can use the information that is collected in the log to help you diagnose and resolve possible problems or monitor the activity of Active Directory-related events on your server.
What type of authentication is Active Directory? ›
Active Directory Authentication is a Windows-based system that verifies users, endpoints, and services to Microsoft's Active Directory. AD Authentication supports both Kerberos and the Lightweight Directory Access Protocol (LDAP).
Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources.
What is Active Directory vs SSO? ›
With SSO, a user logs in once, and gains access to all systems without being prompted to log in again at each of them. Active Directory (AD) is a directory service that provides a central location for network administration and security.
What is last logon in Active Directory? ›
The last logon in Active Directory is a time stamp representation of the last time a domain controller successfully authenticated the user or computer object. There are 3 basic attributes that tell you the last time an object was last authenticated against a Domain Controller.
What is batch logon type? ›
Batch logon type is used by batch servers, where processes can be run on behalf of a user without their direct intervention. 5. Service. The Service Control Manager started a service.
What are the different types of Windows logs? ›
There are mainly five Windows event log types:
- Application Events. These are connected to instances involving locally installed software. ...
- Security Events. These keep data according to the audit policies of the Windows operating system. ...
- Setup Events. ...
- Forwarded Events. ...
- System Events.
There are three types of logins that are stored in the master database: Windows user, Windows group, and SQL. Let's review each of these different types of logins. A Windows user login provides access for a single Windows user.
What are the different types of logon scripts? ›
Scripts may perform an arbitrary set of tasks such as defining user-specific environment variables and drive letter mappings. Webspace supports two types of logon scripts: global scripts that execute for all users that log on to the server, and user-specific scripts that execute for individual users.
What does 4672 special logon mean? ›
Description. Special privileges were assigned to a new logon. If sensitive privileges are assigned to a new logon session, event 4672 is generated for that particular new logon. This event is generally recorded multiple times in the event viewer as every single local system account logon triggers this event.
