Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-0558 What are the different windows event ID's when user logs in/logs out?

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 10:59 AM


What are the different Windows Event ID's when a user logs in/ logs out Unix/Linux machines joined to the domain.


1) Event 538 - account logoff

2) Event 540 - account logon

These only show as success records:

a) for users, shows user name as AD username and shows IP address
b) for machines, shows machine name as AD username and shows IP address

3) Event 627 - change password (can happen for machine accounts, too)

4) Event 644 - account lockout

5) Event 672 - authentication ticket

6) Event 673 - service ticket request

7) Event 675 - pre-authentication failed

a) If the password fails, UNIX machines will raise error 675 – “pre-authentication failed”.
b) This is different than Windows machines, that raise error 529.

8) UNIX machines also won’t record incorrect user names in the Windows Event log.

This is because DirectControl checks if the username exists in the Zone before attempting to authenticate.
If the username doesn’t exist, NSS falls through to the next item (typically “files”)
References: KB-0498: Failed login attempts do not get audited in Security Event Log

9) Event 4771 - Kerberos login failure

10) Event 4740 - Account Lockout