More specifically, I had the Administrator log onto a Virtual Server (Windows 2003) and left it open. Then I logged on as another test user using remote desktop. I could not see the security log as that user since I did not have permissions. (I looked into that but couldn't seem to find the settings that would give the test user a way to see the security log. How do I do that?)
Anyway, I looked later in the Administrator's Virtual PC and I saw the security log indicate a successful logon. What is going on? Why is it wrong about a failure?
1. 565 is not an Object Access event - it is a Directory Service access event
2. Windows doesn't log attempts to open a file unless you enable Object Access auditing AND enable auditing for that file
3. Since trying to open an EFS encrypted file is not a permissions failure I'm not sure #2 would log an event anyway
4. As to logon events, please see my free webinars on the subject at www.ultimatewindowssecurity.com/webinars