I monitor EventID 4768 on an Active Directory server to catch user logons. So far so good … I observed that all events with user set to $ are computers.
My problem is, that as far as I can see, I am allowed to set usernames like 'abc$'. So differentiating based on '$' is not the best way.
I also can't see any other difference between 2 events, one from computer and one from user logon.
So, how to safely differentiate between users and computers when I am catching logon events?
Best Answer
I've had better luck monitoring different Event ID numbers for login/logout events. These are ID's 4624 (login) and 4634 (logout), the two can be correlated through the LogonGUID attribute on both of them. Another pair of ID's that are useful: 4625 (failed login) and 4740 (account lockout).