By looking at the Security Event Log, and Event ID 529
In the above example, the user tried to logon to the computer while it was disconnected from the network. You can tell this from the Logon Type of 11.
Other logon type values are as follows:
| Logon Type | Description |
| 2 | Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10. |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540) |
| 4 | Batch (i.e. scheduled task) |
| 5 | Service (Service startup) |
| 6 | Proxy |
| 7 | Unlock (i.e. unnattended workstation with password protected screen saver) |
| 8 | NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”) |
| 9 | New Credentials |
| 10 | RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) |
Reference: Auditing User Authentication
Related posts:
My user account is trying to logon another system and I don’t know why!
“Logon failure: the user has not been granted the requested logon type at this computer”
Slow startup and/or logon times with Windows 7?
Powered by YARPP.