I am seeing tons of 672 events with logon type 2. I have a couple questions assuming 672 are generated on domain controllers both when a user tries to logon to the console of a member server, and when trying to access a share from one member server/workstation to another member server.
1. Is this indicative of a user logging onto the console when i see the logon type 2 (or logon type 10 in the case of RDP access)?
2. In the case of a user accessing a share on a member server from a server/workstation that the user is already authenticated, what does the logon type refer to in this case?
Maybe my assumptions are incorrect about the workings of 672, but I am seeing what looks like thousands of console logons to my member servers!
Not sure what field you are confusing as logon type in 672 but logon type isn't provided in Account Logon (aka Authentication) events - only in logon events like 528 and 540.