Asked by:
Windows Event for mapped drive

Question
-
Dear all,
Now I have a file server running Windows Server 2016. Only some users have permission to access that server. But in Event Viewer I see lot of non-privillege users with event id 4624 logon type 3 beside administrator users. I sure that those non-previllege users can't RDP to the server. How I can know that which event id is user mapped drive and which one is real user login?
Monday, February 10, 2020 8:26 AM
All replies
-
Hi,
You might need to enable auditing, if the mapped network drive is a network share then the following event:
5140(S, F): A network share object was accessed.More information here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-shareBlog:
https://thesystemcenterblog.com LinkedIn:
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 8:45 AM -
check logon type in that event details. followup below guidance,
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 1:58 PM -
With the logon type, you can find the difference: https://eventlogxp.com/blog/logon-type-what-does-it-mean/
Logon type 3 is for network logon while logon type 2 is for interactive logon.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Monday, February 10, 2020 2:04 PM -
Hi,
Thanks for posting here!
Based on my understanding , we need to check both the permission for access shared folder and RDP , there are differenct permission settings.
Logon type 3 is for network logon while logon type 2 is for interactive logon.
If you want more information about shared folder access , audit policy for shared folder should be enabled. Once you don't need it , you can disabled it either.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
- Proposed as answer by flingminMicrosoft contingent staff Monday, February 17, 2020 7:03 AM
Tuesday, February 11, 2020 5:10 AM -
One of the most common sources of logon events with logon type 3 is connections to shared folders or printers.
Enable auditing, then check security logs for event IDs - 5140(A network share object was accessed) and 4624(An account was successfully logged on)
Another option you can try is; LepideAuditor for file server to audit file share access with real time alerts. Also, you could use Wireshark to monitor the network traffic.
Tuesday, February 11, 2020 11:00 AM -
Hi,
Welcome to share your current situation.
Please feel free to let us know if you need further assistance.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
Thursday, February 13, 2020 9:39 AM -
Hi,
As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
Again thanks for your time and have a nice day!
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com
Monday, February 17, 2020 7:04 AM