Observe exact username for 4624 events

Hello Guest User,

I am following up to check if inspecting the "New Logon" section of the Event 4624 entry resolved the visibility issue regarding the username. It is important to remember that the "Subject" field identifying the SYSTEM account is standard behavior for the operating system process handling the connection, and the specific user identity will invariably be found lower in the log details. If you have confirmed this and the issue persists, please verify that your Group Policy is explicitly configured for "Advanced Audit Policy Configuration" to prevent legacy audit settings from filtering out the granular data you need.

If the issue has been successfully resolved, please consider accepting the answer as it helps other people sharing the same question benefit too. Thank you!

VP

Hello <removed>

It is highly likely that you are looking at the Subject section of the Event ID 4624 entry rather than the New Logon section, or you are observing the necessary machine-to-machine authentication that precedes user activity. In a Network Logon (Type 3) scenario, the "Subject" fields identify the account on the local system that requested the logon, which is almost invariably the local SYSTEM account (S-1-5-18) or the machine account itself, as the operating system's services (like the Server service or LSASS) are the entities processing the incoming network request. This is standard behavior and does not indicate a misconfiguration. You must scroll down within the event details to the New Logon section; this is where the Security ID and Account Name of the actual remote user connecting to the VM will be listed.

If you check the New Logon section and see a computer account (indicated by a $ at the end of the username, e.g., DESKTOP-XYZ$) instead of a human user, you are witnessing computer authentication. In Active Directory environments, computers authenticate to each other to establish secure channels for Group Policy updates, system management, or simply setting up the transport before the user session begins. These events generate a high volume of Logon Type 3 entries. The actual user authentication usually follows these machine events closely. If you truly do not see a subsequent Event 4624 Type 3 for the specific human user, the session might be utilizing an existing established network session (connection pooling), or the access might be occurring via a null session if ANONYMOUS LOGON is present.

To ensure you have the most granular and accurate logging control, verify that you are not relying on the legacy "Audit Logon Events" policy under Local Policies. Instead, configure this via the Advanced Audit Policy Configuration. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff and ensure Audit Logon is set to Success and Failure. Additionally, verify that the security option "Audit: Force audit policy subcategory settings..." in the Local Policies > Security Options is enabled to prevent legacy category policies from overriding your granular advanced settings. This ensures the VM captures every distinct logon attempt, allowing you to filter out the SYSTEM noise and locate the specific user identity in the New Logon field.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

VP

To observe the exact username for event ID 4624, ensure that you have configured the appropriate auditing settings on your server. Since you mentioned that you are only seeing Logon Type 3, which indicates a network logon, you should verify that the following configurations are in place:

1. Audit Logon Events: Ensure that the policy for auditing logon events is enabled. This can be found under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. Make sure both Audit Logon Events and Audit Account Logon Events are set to log successes and failures.
2. Check Group Policy Settings: If the server is part of a domain, check the Group Policy settings applied to the server to ensure there are no overriding policies that might prevent logging the exact username.
3. Review Security Event Logs: Sometimes, the event logs may not display the expected information due to filtering or log size limitations. Ensure that you are reviewing the logs comprehensively.
4. Logon Type: Since you are seeing Logon Type 3, which is for network logons, consider that the username may not appear if the logon is being performed through a service or system account. You may want to check if the logon is initiated by a specific application or service that uses a system account.

If these settings are correctly configured and you still do not see the exact username, you may need to investigate further into the specific applications or services that are initiating the logon requests to understand their behavior better.

References:

• Invalid client IP address in security event ID 4624 in Windows 7 and Windows Server 2008 R2
• Advanced Audit Policy Configuration