Windows logon type 3

What is a Windows logon?

A Windows logon event occurs when a user logs in to a system, kick-starting a logon session. A logon session denotes every time a security principal logs in to a Windows machine. Logon events are useful in identifying anomalous access patterns and user logins. These events can be correlated across various AD machines, like domain controllers, workstations, and Windows servers, to get a full picture of the user's logon session.

Logon types in Windows

Windows logons are categorized based on how a user logs on to a device and what resource is used. Each logon type recorded will have an associated logon session containing all the session details. Some closely monitored logon types include:

Logon type What it denotes When it is recorded
2 Interactive A user logs on directly to a system.
Example: User A logs in to their device by keying in their credentials.
3 Network A user accesses a computer over the network.
Example: User A accesses a file from a network share.
4 Batch A computer runs a batch job.
Example: A Windows Scheduler task executes a script that has been scheduled periodically.
5 Service A service starts.
Example: Antivirus software that runs perpetually.
10 Remote interactive A user logs in to a machine remotely.
Example: User A logs in to device B using Remote Desktop Connection.

What is logon type 3?

Logon type 3 denotes a network logon. A network logon or any other logon can take place only after an interactive logon authentication has taken place, as the same credentials used for an interactive logon are applied. Network logon events occur when a user accesses a shared resource over the network. For example, when user A accesses the organization's printer, the actions trigger a logon type 3 event.

Why should logon type 3 events be monitored?

On their own, events of this type may not make much sense. But when correlated with account logons and UBA-based analysis, administrators can identify unauthorized accesses, file modifications, or deletions. Maintaining logs of network resource accesses is one of the requirements of PCI DSS. It is also useful to maintain an audit trail for forensic examination after a security incident has occurred.

How ADAudit Plus helps in monitoring logon types

ManageEngine ADAudit Plus provides a single pane of reporting for all AD changes. Get real-time, UBA-driven insights to detect suspicious and risky changes. Gain full visibility into logons, account lockouts, GPO changes, permission changes, Azure AD changes, file server activity, and more. Our reports can help you:

Try all these features and more for free in a 30-day trial. Alternatively, get on a call with our technical experts to see how ADAudit Plus can help you.

We're thrilled to be recognized as a Gartner Peer Insights Customers’ Choice for Security Incident & Event Management (SIEM) for the third year in a row.  

Don't wait for your annual compliance audit.

  • Audit your AD and Azure
  • Monitor user logon
  • Troubleshoot AD lockouts
Starting today
  • By clicking 'Book a demo now' you agree to processing of personal data according to the Privacy Policy.


Please check your inbox for demo details.