Logon Logoff Event: 528

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 528

Event ID 528 – Successful Logon

Event ID 528
Category Logon/Logoff
Type Success Audit
Description Successful Logon

Whenever a user logs onto the local computer, event 528 is generated, regardless of whether the account used is a domain account or a local SAM account. This is different from a network logon, which is identified as event 540.

This log data provides the following information:

  • User Name
  • Domain
  • Logon ID (Helps correlate with other events that occur during this particular logon session)
  • Logon Type
  • Logon Process
  • Authentication Package
  • Workstation Name

Note: In Windows XP and Windows 2000, the following information is not registered: Caller User Name, Caller Domain, Caller Logon ID, Caller Process ID, Transited Services, Source Network Address, and Source Port. Apart from these, Windows 2000 also does not log Logon GUID information.

Why does event ID 528 need to be monitored?

  • To prevent privilege abuse.
  • To detect abnormal and potentially malicious activity.
  • To get information on user activity (like user attendance and peak logon times).
  • To ensure compliance with regulatory mandates.

Pro Tip:

With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks successful logon attempts by local users, helping you meet your security, operational, and compliance needs with absolute ease.

Event 528 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID in Windows 2008 and Windows Vista is 4624.