Event ID 528 – Successful Logon
Whenever a user logs onto the local computer, event 528 is generated, regardless of whether the account used is a domain account or a local SAM account. This is different from a network logon, which is identified as event 540.
This log data provides the following information:
- User Name
- Logon ID (Helps correlate with other events that occur during this particular logon session)
- Logon Type
- Logon Process
- Authentication Package
- Workstation Name
Note: In Windows XP and Windows 2000, the following information is not registered: Caller User Name, Caller Domain, Caller Logon ID, Caller Process ID, Transited Services, Source Network Address, and Source Port. Apart from these, Windows 2000 also does not log Logon GUID information.
Why does event ID 528 need to be monitored?
- To prevent privilege abuse.
- To detect abnormal and potentially malicious activity.
- To get information on user activity (like user attendance and peak logon times).
- To ensure compliance with regulatory mandates.
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks successful logon attempts by local users, helping you meet your security, operational, and compliance needs with absolute ease.
Event 528 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4624.