|
|
|
Forum Newbie
Group: Forum Members
Last Login: 1/16/2018 7:51:23 AM
Posts: 1,
Visits: 0
|
|
Hi,
In previous Windows systems, we could find who logged in remotely to a specific machine, using EventID (4624) and LogonType (10). I'm trying to do the same for the Windows 10, but I don't see LogonType=10 registered, only as a LogonType=7. Is there any change on how Windows 10 handles this case, and if yes, how we distinguish from the PC unlock case.
Is it possible to get all these events if we only audit Domain Controllers, or do we need to collect logs from computers, as well. In our case we are using the latest Netwrix solution for this purpose.
Thank you for any help on this.
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 201,
Visits: 0
|
|
| Type 7 logons should still only indicate an unlocked computer. I just want to confirm that you are looking for "type = 10" logs at the RDP destination, correct? There have been changes to the logon event in Windows 10 but I do not see any that indicate significant changes to how an RDP logon event would be written-https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624.
|
|
|
|