Cannot understand Event ID 4624

Contributor

After reviewing some AD Domain Controller logs I've been doing loads of reading on Event ID 4624 and trying to understand user behaviour.  Once thing I have noticed is accounts appearing to be doing interactive logons (Logon Type 2) which should not be.  I immediately suspected is some one using these account instead of their own.

 

I've read that "real" logons usually have process lsass.exe or svchost.exe which from my reading are normal for a true logon.   However I noticed that a unusual process was listed for the event which appears to be something legit installed on the machine later (legit process\application)

 

Could this be something running as a service?  If that's the case I would have expected a logon type 5

A scheduled task?  Then shouldn't it be a logon type 4

 

Any idea on how I can track down how this is being run and why under the particular account and why its showing as an interactive logon?

2 Replies
Do you have all the audit logging features enabled in the Domain Controller GPO? Enable all logon/logoff logging and make sure your event log size can be 1 or 2Gb and that it overwrites events as needed.

Did this help finding more data?