稽核登入事件Audit logon events

適用於Applies to

  • Windows 10Windows 10

判斷是否要審核使用者登入或登出裝置的每個實例。Determines whether to audit each instance of a user logging on to or logging off from a device.

帳戶登入事件是在網網域控制站上,針對網域帳戶活動以及本機帳戶活動的本機裝置產生。Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. 如果已啟用帳戶登入和登入審核原則類別,則使用網域帳戶的登入會在工作站或伺服器上產生登入或登出事件,而且會在網網域控制站上產生帳戶登入事件。If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server, and they generate an account logon event on the domain controller. 此外,使用網域帳戶的成員伺服器或工作站的互動式登入會在使用者登入時,隨著登入腳本和原則而檢索,在網網域控制站上產生登入事件。Additionally, interactive logons to a member server or workstation that use a domain account generate a logon event on the domain controller as the logon scripts and policies are retrieved when a user logs on. 如需帳戶登入事件的詳細資訊,請參閱 審核帳戶登入事件For more info about account logon events, see Audit account logon events.

如果您定義此原則設定,您可以指定是否要審核成功、審核失敗,或根本不審核事件種類。If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. 成功審核會在登入嘗試成功時產生一個審核專案。Success audits generate an audit entry when a logon attempt succeeds. 當登入嘗試失敗時,失敗審核會產生審核專案。Failure audits generate an audit entry when a logon attempt fails.

若要將此值設定為 [ 無審核],請在此原則設定的 [ 屬性 ] 對話方塊中,選取 [ 定義這些原則設定 ] 核取方塊,然後清除 [ 成功 ] 與 [ 失敗 ] 核取方塊。To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

如需登入事件之高級安全性原則設定的相關資訊,請參閱高級安全性審核原則設定中的 [登入/登出] 區段。For information about advanced security policy settings for logon events, see the Logon/logoff section in Advanced security audit policy settings.

設定此審核設定Configure this audit setting

您可以在 [電腦 Configuration\Windows Settings\Security Settings\Local Policies\Audit 原則] 下開啟適當的原則,以設定此安全性設定。You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

登入事件Logon events 說明Description
46244624 使用者已成功登入電腦。A user successfully logged on to a computer. 如需登入類型的相關資訊,請參閱下方的 [登入類型] 資料表。For information about the type of logon, see the Logon Types table below.
46254625 登入失敗。Logon failure. 嘗試使用未知的使用者名稱或已知的使用者名稱進行登入,但密碼不正確。A logon attempt was made with an unknown user name or a known user name with a bad password.
46344634 使用者的登出程式已完成。The logoff process was completed for a user.
46474647 使用者已啟動登出程式。A user initiated the logoff process.
46484648 使用者已以其他使用者身分登入,並使用明確認證成功登入電腦。A user successfully logged on to a computer using explicit credentials while already logged on as a different user.
47794779 使用者已中斷終端伺服器會話的連線,而不需要登出。A user disconnected a terminal server session without logging off.

記錄事件528時,也會在事件記錄檔中列出登入類型。When event 528 is logged, a logon type is also listed in the event log. 下表說明每個登入類型。The following table describes each logon type.

登入類型Logon type 登入標題Logon title 說明Description
pplx-22 交互Interactive 已登入此電腦的使用者。A user logged on to this computer.
33 網路Network 從網路登入此電腦的使用者或電腦。A user or computer logged on to this computer from the network.
44 轉換Batch 批次登入類型是由批次處理伺服器所使用,其中的進程可能代表使用者執行,而不需直接干預。Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5005 服務Service 服務已由服務控制管理員啟動。A service was started by the Service Control Manager.
utf-77 解除鎖定Unlock 這個工作站已解除鎖定。This workstation was unlocked.
8 NetworkCleartextNetworkCleartext 從網路登入此電腦的使用者。A user logged on to this computer from the network. 使用者的密碼已以其雜湊形式傳到驗證套件中。The user's password was passed to the authentication package in its unhashed form. 內建驗證會封裝所有雜湊認證,然後再透過網路傳送。The built-in authentication packages all hash credentials before sending them across the network. 認證不會以純文字的方式來遍歷網路, (也稱為 [明文]) 。The credentials do not traverse the network in plaintext (also called cleartext).
99 NewCredentialsNewCredentials 來電者會將目前的權杖克隆,並為輸出連線指定新的認證。A caller cloned its current token and specified new credentials for outbound connections. 新的登入會話擁有相同的本地身分識別,但針對其他網路連線使用不同的認證。The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractiveRemoteInteractive 使用者使用 [終端服務] 或 [遠端桌面],遠端登入此電腦。A user logged on to this computer remotely using Terminal Services or Remote Desktop.
1111 CachedInteractiveCachedInteractive 已使用儲存在本機電腦上的網路認證登入此電腦的使用者。A user logged on to this computer with network credentials that were stored locally on the computer. 未聯繫網網域控制站以驗證認證。The domain controller was not contacted to verify the credentials.

相關主題Related topics