RE: Screen Saver Lock Event ID

The customer's goal could not be implemented in Windows XP.

Prior to Windows Vista there is no event when a workstation is locked.
Unlock is a pair of events (528+538) with logon type 7.

Starting in Windows Vista we have added explicit events for lock, unlock,
TS/FUS connect/disconnect, screen saver invoke and screen saver dismiss.
These are in the Security event log and are from event source
¡°Microsoft-Windows-Security-Auditing¡±. The event IDs are in the range
XXX-XXX.

You can dump the events yourself from a Vista or Windows Server 2008
machine:
http://blogs.msdn.com/ericfitz/archive/2007/07/31/documentation-on-the-windo
ws-vista-and-windows-server-2008-security-events.aspx

I would give you one note of caution- the events and timestamps for logoff
and lock workstation are unreliable- they do not PROVE that someone
accessed their machine for exactly that length of time. I discuss logoff
events here:
http://blogs.msdn.com/ericfitz/archive/2007/05/08/the-trouble-with-logoff-ev
ents.aspx

The problem with locking the workstation is that there is no way to
instrument the OS for someone who just backs away from the keyboard and
walks away. The screen saver, if configured, will come on after a
configurable delay since the last keypress or mouse movement. However the
workstation does not lock until the screen saver is dismissed (some of you
might have noticed that when you bump the mouse to dismiss the screensaver,
sometimes you see your desktop for a fraction of a second- that¡¯s because
your machine isn¡¯t locked while the screen saver is being displayed).




Best regards,

Laura Zhang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader:
microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================


.

Relevant Pages

  • Re: Unlocking Workstations
    ... configure a GPO with this screen saver and a time of 15 minutes.... ... > workstation locks after 15 minutes of inactivity. ... > or an administrator can unlock the workstation. ... > networked workstations is a Domain Administrator. ...
    (microsoft.public.win2000.security)
  • Re: disabling workstation lock
    ... administrator can unlock it - press ctrl-alt-del" etc. ... the screen saver is set to "none"; ... the pc's are not connecting to a domain. ... >as what you are calling workstation locking. ...
    (microsoft.public.windowsxp.security_admin)
  • Locked bei (slash)
    ... i´ve got some problem about locking when the screen saver ... i have a notice that only \ can unlock the ... workstation. ...
    (microsoft.public.win2000.security)
  • RE: GP wont apply
    ... On your workstation, open a command prompt and type "gpresult" and see if the ... policy you created is being applied to your workstation. ... "Kathy" wrote: ... >>> Hide Screen Saver tab Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: Re: Re: Re: Automatically Log Off a workstation
    ... If the Screen saver tab is still available, ... >running on the workstation, like Word, Outlook, Excel? ... >>> Windows Server MVP ...
    (microsoft.public.win2000.group_policy)
Loading