![]() ![]() The 2 logon sessions are connected by the Linked Logon ID described below. So in the log you will see 2 of these events, one where this field is Yes and other No. After you approve the UAC dialog box, Windows runs that one operation under the other logon sesson. Everything you do happens under the unprivileged logon session until you attempt to run something requiring admin authority. One with out the Administrators SID and related privileges in your security token and another session with all that authority. Then when you logon you actually get 2 logon sessions. The "kind of" applies to interactive logons, when you are an admin and you have User Account Control (UAC) enabled. It will be Yes if the user is a member of Administrators - kind of. They're "domain" is "NT Service" as in an instance of MS SQL Server named Supercharger running as NT SERVICE\MSSQL$SUPERCHARGER. You can configure services to run as a virtual account which is what Microsoft calls a "managed local account". Virtual Accounts only come up in Service logon types (type 5), when Windows starts a logon session in connection with a service starting up. This will be Yes in the case of services configured to logon with a "Virtual Account". This field allows you to detect RDP sessions that fail to use restricted admin mode. When you remote desktop into a server with /restrictedAdmin you get full authority on that server but it doesn't carry with you if you access other systems from within that RDP session. You should only see with for logon type 10. Restricted admin mode is an important way to limit the spread of admin credentials in ways they can be harvested by malware using pass-the-hash and related techniques.
0 Comments
Leave a Reply. |