Windows event log lock workstation

Submit and view feedback for This product This page. View all page feedback. In this article. We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low. Failure events will show you when requested credentials CredSSP delegation was disallowed by policy.

When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

Formats vary, and include the following:. Example of output see ID column :. Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.

You probably have to activate their auditing using Local Security Policy secpol. For Windows 10 see the picture below. In the Explain tab it says " Locking and unlocking a workstation". For newer versions of Windows including but not limited to both Windows 10 and Windows Server , the event IDs are:. When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event may replace event Events and are not audited by default, and must be enabled using either Local Group Policy Editor gpedit.

The event IDs to look for in pre-Vista Windows are , , and To identify unlock screen I believe that you can use ID As it says in the answer provided by Mario and User , you will need to enable logging of lock and unlock events by using their method described above by running gpedit.

This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer. Using Windows 10 Home edition. I was unable to get my event viewer to capture events and , even after installing the Windows Group Policy Editor, enabling auditing on all the relevant events, and restarting the computer. However, I was able to discover other events that are tied to locking and unlocking that you can use as accurate and reliable indicators of when the PC was locked.

Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. This would prompt us to further inform the user and provide follow-up training, and possibly impose a shorter inactivity threshold if they do not improve. It sounds like we'll have to enable a screen saver to get this to work, and at that we will lose accurate timestamps accurate as to the time the inactivity threshold was reached on the events in favor of timestamps on the events.

I think that may work for us. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks. Best Answer. Verify your account to enable IT peers to see that you are a professional. This may help you in your quest: Windows Security Log Event ID - The workstation was locked to quote: " When either a user manually locks his workstation or the workstation automatically locks its console after a period of inactivity this event is logged.

For Interactive logons you may see the following sequence: screensaver invoked, Event ID screensaver dismissed Event ID console locked: Event ID console unlocked: Event ID The understanding is that when screensaver is active, Windows does not view console as locked - it is only locked when there is keyboard or mouse input - that's when user sees the Ctrl-Alt-Delete screen - then finally the unlock event.

View this "Best Answer" in the replies below ».