This security policy setting determines whether the operating system generates audit events for other logon or logoff events, such as:

• A Remote Desktop session disconnects or connects.
• A workstation is locked or unlocked.
• A screen saver is invoked or dismissed.
• A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
• A user is granted access to a wireless network. It can either be a user account or the computer account.
• A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.

Logon events are essential to understanding user activity and detecting potential attacks.

Event volume: Low on a client computer or a server

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4649: A replay attack was detected.
• 4778: A session was reconnected to a Window Station.
• 4779: A session was disconnected from a Window Station.
• 4800: The workstation was locked.
• 4801: The workstation was unlocked.
• 4802: The screen saver was invoked.
• 4803: The screen saver was dismissed.
• 5378: The requested credentials delegation was disallowed by policy.
• 5632: A request was made to authenticate to a wireless network.
• 5633: A request was made to authenticate to a wired network.