Cannot understand Event ID 4624


After reviewing some AD Domain Controller logs I've been doing loads of reading on Event ID 4624 and trying to understand user behaviour.  Once thing I have noticed is accounts appearing to be doing interactive logons (Logon Type 2) which should not be.  I immediately suspected is some one using these account instead of their own.


I've read that "real" logons usually have process lsass.exe or svchost.exe which from my reading are normal for a true logon.   However I noticed that a unusual process was listed for the event which appears to be something legit installed on the machine later (legit process\application)


Could this be something running as a service?  If that's the case I would have expected a logon type 5

A scheduled task?  Then shouldn't it be a logon type 4


Any idea on how I can track down how this is being run and why under the particular account and why its showing as an interactive logon?

2 Replies
Do you have all the audit logging features enabled in the Domain Controller GPO? Enable all logon/logoff logging and make sure your event log size can be 1 or 2Gb and that it overwrites events as needed.

Did this help finding more data?