Eventid windows 2003 logon

Note: An event will be generated for every attempted operation on the object. The client context was deleted by the Authorization Manager application. The Administrator Manager initialized the application. The Certificate Manager denied a pending certificate request. Certificate Services received a resubmitted certificate request. Certificate Services revoked a certificate. Certificate Services received a request to publish the certificate revocation list CRL. One or more certificate request attributes changed.

Certificate Services received a request to shut down. The security permissions for Certificate Services changed. Certificate Services retrieved an archived key. Certificate Services imported a certificate into its database. The audit filter for Certificate Services changed.

Certificate Services received a certificate request. Certificate Services approved a certificate request and issued a certificate. Certificate Services denied a certificate request. Certificate Services set the status of a certificate request to pending. The certificate manager settings for Certificate Services changed.

A configuration entry changed in Certificate Services. A property of Certificate Services changed. Certificate Services imported and archived a key. Certificate Services published the certificate authority CA certificate to Microsoft Active Directory directory service. One or more rows have been deleted from the certificate database.

Audit Policy Change Events. A trust relationship with another domain was created. A trust relationship with another domain was removed. An IPSec policy agent encountered a potentially serious failure. A trust relationship with another domain was modified. Auditing policy was set on a per-user basis. Auditing policy was refreshed on a per-user basis. A collision was detected between a namespace element in one forest and a namespace element in another forest.

Note: When a namespace element in one forest overlaps a namespace element in another forest, it can lead to ambiguity in resolving a name belonging to one of the namespace elements. This overlap is also called a collision. Not all parameters are valid for each entry type.

Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated for each added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages are assigned a single unique identifier called an operation ID.

This allows you to determine that the multiple generated event messages are the result of a single operation. Note: See event description for event The event log service read the security log configuration for a session. Specified privileges were added to a user's access token. Note: This event is generated when the user logs on.

A user attempted to perform a privileged system service operation. Privileges were used on an already open handle to a protected object. Detailed Tracking Events. A data protection master key was backed up. The master key is backed up each time a new one is created. The default setting is 90 days.

The key is usually backed up by a domain controller. A data protection master key was recovered from a recovery server. An authentication package was loaded by the Local Security Authority. A trusted logon process has registered with the Local Security Authority. Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages. A notification package was loaded by the Security Accounts Manager.

A process is using an invalid local procedure call LPC port in an attempt to impersonate a client and reply or read from or write to a client address space. Note: This audit normally appears twice. Windows Security Events. Event ID: Pre-authentication failed.

Event ID: Authentication ticket request failed. Event ID: An account was successfully mapped to a domain account. Improve this question. Rippo Rippo 3 3 silver badges 13 13 bronze badges. Add a comment. Active Oldest Votes. Improve this answer. Ta — Rippo. I'm not sure that you'll see a logon event each time a new user hits the site, but I've not looked too deeply into it.

I would imagine that the account would only need to be logged on if the ticket had expired. Not exactly! You'll still see IUSR logons even if you have no authentication methods. I was referring to the Kerberos i. Event gets logged whether the account used for logon is a local SAM account or a domain account. For all other types of logons this event is logged including For an explanation of logon processes see event For an explanation of authentication package see event Logon GUID is not documented.

It is not clear what the caller user, caller process ID, transited services are about. Source Port is the TCP port of the workstation and has dubious value. Top 10 Windows Security Events to Monitor. Additional Resources. Security Log. Event ID Follow randyfsmith. All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.