This question does not take Windows Server 2003 and older OSes into consideration.
I know that for local logon (event ID 4624) also the logon type is logged (interactive, remote, etc.). Is there a way I can identify the logon type also with domain authentications by collecting only the domain controller logs? I.e., can events IDs such as 4771 and 4768 be generated by both a user authentication at his workstation (by the keyboard) and a user or a service authenticating over the network and if so, is there a way to know this from the log (4771 or 4768)? Or is the authentication over network always covered with the event ID 4769, thus leaving event IDs 4771 and 4768 only for local authentications?
Best Answer
No, 4624s are not just for local workstation logons. They also occur on domain controllers. Same rules apply to both local logon and domain logon.
The trick is to look at the
Logon Type
listed in the event 4624. If the event saysLogon Type: 3
then you know that it was a network logon. These events occur on domain controllers when users (or computers) log on to the AD domain, so yes, collecting the domain controllers is what you want to do.