How to puch events 4647, 4634, 551, and 538... Expand / Collapse
Author
Message
Posted 7/27/2010 11:32:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/27/2010 11:23:57 AM
Posts: 1, Visits: 0
Hi,

Is there a way to push these local workstation events to a domain controller? It seems with "Audit Account Logon Events" you can get the logon events to be logged on the domain controller that handles that logon, but is there a way to get the logoff events pushed as well?

Thanks,
Todd
Post #419
Posted 8/23/2016 4:58:28 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/23/2016 4:54:27 PM
Posts: 1, Visits: 0
I found the following information, which may or may not be true, but it explains why logoff events aren't even generated during particular circumstances. This includes a system shutdown and/or reboot.

When the user finally logs off, Windows will record a 4634 followed by a 4647. Event ID 4634 indicates the user initiated the logoff sequence, which may get canceled. Logon 4647 occurs when the logon session is fully terminated. If the system is shut down, all logon session get terminated, and since the user didn’t initiate the logoff, event ID 4634 is not logged.

source
Post #6256
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:50pm