This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Windows Event for mapped drive

Question
0

Sign in to vote

Dear all,

Now I have a file server running Windows Server 2016. Only some users have permission to access that server. But in Event Viewer I see lot of non-privillege users with event id 4624 logon type 3 beside administrator users. I sure that those non-previllege users can't RDP to the server. How I can know that which event id is user mapped drive and which one is real user login?

Monday, February 10, 2020 8:26 AM

All replies

0

Sign in to vote
Hi,

You might need to enable auditing, if the mapped network drive is a network share then the following event:
5140(S, F): A network share object was accessed.

More information here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share

Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 8:45 AM
1

Sign in to vote
check logon type in that event details. followup below guidance,

https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4624.html

https://eventlogxp.com/blog/logon-type-what-does-it-mean/
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 1:58 PM
0

Sign in to vote
With the logon type, you can find the difference: https://eventlogxp.com/blog/logon-type-what-does-it-mean/

Logon type 3 is for network logon while logon type 2 is for interactive logon.

This posting is provided AS IS with no warranties or guarantees , and confers no rights.

Ahmed MALEK

My Website Link

My Linkedin Profile

My MVP Profile
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 2:04 PM
0

Sign in to vote
Hi,
Thanks for posting here!

Based on my understanding , we need to check both the permission for access shared folder and RDP , there are differenct permission settings.
Logon type 3 is for network logon while logon type 2 is for interactive logon.
If you want more information about shared folder access , audit policy for shared folder should be enabled. Once you don't need it , you can disabled it either.

Best Regards,
Fan

Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Tuesday, February 11, 2020 5:10 AM
1

Sign in to vote

One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.

Enable auditing, then check security logs for event IDs - 5140(A network share object was accessed) and 4624(An account was successfully logged on)

Another option you can try is; LepideAuditor for file server to audit file share access with real time alerts. Also, you could use Wireshark to monitor the network traffic.

Tuesday, February 11, 2020 11:00 AM
0

Sign in to vote

Hi,

Welcome to share your current situation.

Please feel free to let us know if you need further assistance.

Best Regards,

Fan

Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Thursday, February 13, 2020 9:39 AM
0

Sign in to vote

Hi，

As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.

Again thanks for your time and have a nice day!

Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Monday, February 17, 2020 7:04 AM