Windows logon types and logon codes

A user logs on to a system to gain access to the computer and the files on the network. In Windows, there are several ways a logon can occur locally, and remotely. System admins need to keep track of the logon types to be abreast of any security vulnerabilities in the organization's network.

The following is a list of the types of logons, along with their codes, found in the Windows security event log:

Interactive (Logon Type 2)

This type of logon happens when a user logs on to the computer.

Network (Logon Type 3)

This type of logon occurs when a user or computer logs on to the computer from the network.
Batch (Logon Type 4)

This type of logon is used by batch servers. Scheduled tasks are executed on behalf of a user without human intervention.
Service (Logon Type 5)

This type of logon is used for services and service accounts that logon to run a service.
Unlock (Logon Type 7)

This type of logon occurs when a user unlocks their machine.
Network Cleartext (Logon Type 8)

This type of logon occurs when a user or computer logs on to the computer from the network, and the password is sent in clear text.
NewCredentials (Logon Type 9)

This type of logon occurs when a user uses the 'RunAs' command to run an application.
RemoteInteractive (Logon Type 10)

This logon type occurs when a user remotely accesses the computer through RDP applications such as Remote Desktop, Remote Assistance or Terminal Services.
CachedInteractive (Logon Type 11)

This type of logon is recorded when a user logons to the computer without having to contact the domain controller, since the network credentials are locally stored on the computer.

Logs with event IDs 4624 and 4625 are generated every time there is a successful or failed logon on a local computer, respectively.

Auditing logon activity with ADAudit Plus

Get your fully functional 30-day free trial

ADAudit Plus user logon monitoring and auditing capabilities provide real-time activity reports. Administrators can centrally audit, monitor and view pre-configured reports and schedule reports to be delivered to their inbox.

To obtain Logon Reports,

Log in to the ADAudit Plus web console.
Click the Reports tab → Local Logon-Logoff.

Select the report of your choice, and see information about currently logged on users, logon failures, computers startup and shutdown time, and more.

Have a glimpse of some of the ADAudit Plus reports by viewing the screenshots of (i) Logon Activity report, (ii) Currently Logged On Users report, and (iii) Computer Startup and Shutdown report, below.

A user logon activity report on ADAudit Plus

The currently logged on users report in ADAudit Plus

Computers' startup and shutdown time report in ADAudit Plus

In these reports, you can obtain information such as:

Who logged on to the workstation?
When did the user last logon to the workstation?
What kind of logon was it?
When was the workstation last started up and shutdown?

About ADAudit Plus

ADAudit Plus is a real-time Active Directory auditing tool that offers 200+ reports and email alerts, including various logon and logoff reports. The different ways to logon to systems can be distinguished by ADAudit Plus, and this can help the organization understand employee behavior with regards to IT, and thwart insider and outsider attacks. It is also a valuable solution for companies that need to adhere to compliance mandates.

Managing user logon activity need not be complicated at all. Try ADAudit Plus for auditing all your workstations.

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free