Home > Event Id > Workstation Lock Event Id

Workstation Lock Event Id


Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. Event 4801 S: The workstation was unlocked. User logon/logoff times in AD Best Answer Ghost Chili OP cduff Jan 29, 2015 at 8:08 UTC Powershell$Days = 1 $events = @() $events += Get-WinEvent -FilterHashtable @{ LogName='Security' [email protected](4800,4801) StartTime=(Get-Date).AddDays(-$Days) Event 4695 S, F: Unprotection of auditable protected data was attempted. http://computerhelpdev.com/event-id/query-service-database-lock-state-event-id-560.php

Event 4733 S: A member was removed from a security-enabled local group. Join Now Update: see CDuffs script below and my modifications at the end for the working script (thanks Craig). Event 5632 S, F: A request was made to authenticate to a wireless network. Subject: Security ID: WIN-R9H529RIO4Y\Administrator Account Name: Administrator Account Domain: WIN-R9H529RIO4Y Logon ID: 0x1be4b Session ID: 1 Keep me up-to-date on the Windows Security Log.

Event Id 4802

Source 4800: The workstation was locked 4801: The workstation was unlocked When a user unlocks his workstation you will see this event. Creating your account only takes a few minutes. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.

Thanks for the idea Craig. 0 Serrano OP philgman Jan 30, 2015 at 12:18 UTC update: to get the workstation lock\unlock 4800\4801 event id's to log to the See ASP.NET Ajax CDN Terms of Use – http://www.asp.net/ajaxlibrary/CDN.ashx. ]]> Technologies Windows Windows Dev Center Windows IT Center Windows NOTE: this is an almost finished version. Audit Other Logon/logoff Events Security ID: The SID of the account.

Audit Filtering Platform Packet Drop Event 5152 F: The Windows Filtering Platform blocked a packet. Enable Event Id 4800 Event 4672 S: Special privileges assigned to new logon. Event 5888 S: An object in the COM+ Catalog was modified. Event 4694 S, F: Protection of auditable protected data was attempted.

We appreciate your feedback. Audit Other Account Logon Events Microsoft Customer Support Microsoft Community Forums United States (English) Sign in Home Windows Server 2012 R2 Windows Server 2008 R2 Library Forums We’re sorry. remote PCs event viewer)? 0 Datil OP M Boyle Oct 26, 2016 at 11:50 UTC Get-WinEvent has a -ComputerName parameter. Audit Registry Event 4663 S: An attempt was made to access an object.

Enable Event Id 4800

Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. http://stackoverflow.com/questions/11385164/eventviewer-eventid-for-lock-and-unlock It's also true for versions of Windows 2008 R2 and Win7 that do not support joining a domain. Event Id 4802 Security ID: The SID of the account. Event Id 4803 I never thought to look at changing the namespace.

Event 4697 S: A service was installed in the system. Check This Out Event 4750 S: A security-disabled global group was changed. Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended. Thanks. Event Code 4801

Event 4658 S: The handle to an object was closed. Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet. http://computerhelpdev.com/event-id/event-id-1309-web-event-event-code-3005.php Account Domain: The domain or - in the case of local accounts - computer name.

Event 4867 S: A trusted forest information entry was modified. Event Id Logon To find out when the user returned and unlocked the workstation look for event ID 4801. Event 4802 S: The screen saver was invoked.

Why are there no Imperial KX-series Security Droids in the original trilogy?

You probably have to activate their auditing using Local Security Policy (secpol.msc, Local Security Settings in Windows XP) -> Local Policies -> Audit Policy. Event 4826 S: Boot Configuration Data loaded. Event 6422 S: A device was enabled. Logon Logoff Event Id Solving the integral of a function with modulus What reasons are there to stop the SQL Server?

Audit Other Object Access Events Event 4671: An application attempted to access a blocked ordinal through the TBS. If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed). Event 4773 F: A Kerberos service ticket request failed. have a peek here Event 5033 S: The Windows Firewall Driver has started successfully.

Event 5890 S: An object was added to the COM+ Catalog. Yes No Additional feedback? 1500 characters remaining Submit Skip this Thank you! Popular Windows Dev Center Microsoft Azure Microsoft Visual Studio Office Dev Center ASP.NET IIS.NET Learning Resources Channel 9 Windows Development Videos Microsoft Virtual Academy Programs App Developer Agreement Windows Insider Program Event 4664 S: An attempt was made to create a hard link.

Event 4910: The group policy settings for the TBS were changed. Event 4663 S: An attempt was made to access an object. Event 5139 S: A directory service object was moved.