{"id":449,"date":"2020-09-10T14:25:14","date_gmt":"2020-09-10T14:25:14","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=449"},"modified":"2020-09-10T14:25:15","modified_gmt":"2020-09-10T14:25:15","slug":"how-to-display-logons-of-non-domain-users-to-the-system","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/how-to-display-logons-of-non-domain-users-to-the-system\/","title":{"rendered":"How to display logons of non-domain users to the system"},"content":{"rendered":"\n<p>Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc.<\/p>\n\n\n\n<p>First, we define that we will filter the Security log by Event Id = 4624 (as we did <a href=\"https:\/\/eventlogxp.com\/blog\/exploring-who-logged-on-the-system\/\">before<\/a>).<\/p>\n\n\n\n<p>The event description of this event looks like<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>An account was successfully logged on. <\/p><p>Subject:<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-0-0<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211;<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &#8211;<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 00000000<\/p><p>Logon Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3<\/p><p>Impersonation Level:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Impersonation<\/p><p>New Logon:<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-3517536955-4254224319-112489931-1107<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Michael<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 FSPRO<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 017448C0<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon GUID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {00000000-0000-0000-0000-000000000000}<\/p><p>Process Information:<\/p><p>\u2026<\/p><\/blockquote>\n\n\n\n<p>New logon group describes the details of a user who logs on.\nLet&#8217;s display events 4624 where New Logon\\Account name is not FSPro. It is very\neasy to do using Event Log Explorer filter. <\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/Filter.png\" data-rel=\"lightbox-gallery-I8ONsxk8\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img loading=\"lazy\" width=\"675\" height=\"330\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/Filter.png\" alt=\"Using filter to display non-domain users\" class=\"wp-image-451\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/Filter.png 675w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/Filter-300x147.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/Filter-660x323.png 660w\" sizes=\"(max-width: 675px) 100vw, 675px\" \/><\/a><\/figure>\n\n\n\n<p>This method works well, but it has several drawbacks:<\/p>\n\n\n\n<ul><li>Filtering by description params works not so fast \u2013 Event Log Explorer parses the description every time and checks its params. <\/li><li>Filtering by description params depends on the Windows language. In non-English systems, param names like Account Domain could be translated.<\/li><li>This approach won&#8217;t work with Elodea \u2013 if you decide to make such a feed.<\/li><li>It works only with Event Log Explorer. In Windows Event Viewer this or similar functionality is not available.<\/li><\/ul>\n\n\n\n<p>XML Query doesn&#8217;t have these drawbacks, but it&#8217;s harder to\ncompose.<\/p>\n\n\n\n<p>Double click on 4624 event and switch to XML tab.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"639\" height=\"358\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/image.png\" alt=\"\" class=\"wp-image-453\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/image.png 639w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/image-300x168.png 300w\" sizes=\"(max-width: 639px) 100vw, 639px\" \/><\/figure>\n\n\n\n<p>We need to exclude events with TargetDomainName equals to\nFSPRO. <\/p>\n\n\n\n<p>You may consider that the XML query should look like<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;QueryList> <\/p><p>\u00a0\u00a0\u00a0 &lt;Query Id=&#8221;0&#8243; Path=&#8221;Security&#8221;><\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;Select Path=&#8221;Security&#8221;><\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *[System[(EventID=4624)]]<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *[EventData[Data[@Name=&#8217;TargetDomainName&#8217;] and (Data!=&#8217;FSPRO&#8217;)]] <\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;\/Select><\/p><p> \u00a0\u00a0\u00a0&lt;Query><\/p><p>&lt;QueryList><\/p><\/blockquote>\n\n\n\n<p>But this query is wrong. Clause <strong><em>&#8220;*[EventData[Data[@Name=&#8217;TargetDomainName&#8217;] and (Data!=&#8217;FSPRO&#8217;)]]&#8221;<\/em><\/strong> will return true in most cases since Data has multi values for the most events.<\/p>\n\n\n\n<p>The correct XML query is:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;QueryList> <\/p><p>\u00a0\u00a0\u00a0 &lt;Query Id=&#8221;0&#8243; Path=&#8221;Security&#8221;><\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;Select Path=&#8221;Security&#8221;><\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *[System[(EventID=4624)]]<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 *[EventData[Data[@Name=&#8217;TargetDomainName&#8217;]!=&#8217;FSPRO&#8217;]]<\/p><p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 &lt;\/Select><\/p><p>\u00a0\u00a0\u00a0 &lt;\/Query><\/p><p>&lt;\/QueryList><\/p><\/blockquote>\n\n\n\n<p>The result of this query:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" width=\"779\" height=\"694\" src=\"http:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/non-domain-logons-result.png\" alt=\"non domain logons - result\" class=\"wp-image-450\" srcset=\"https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/non-domain-logons-result.png 779w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/non-domain-logons-result-300x267.png 300w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/non-domain-logons-result-768x684.png 768w, https:\/\/eventlogxp.com\/blog\/wp-content\/uploads\/2020\/09\/non-domain-logons-result-660x588.png 660w\" sizes=\"(max-width: 779px) 100vw, 779px\" \/><\/figure>\n\n\n\n<p><a href=\"http:\/\/eventlogxp.com\/download\/elex_setup.exe\">Download Event Log Explorer<\/a>\u00a0right now and try your own event filtering tasks.<\/p>\n<a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-facebook nolightbox\" data-provider=\"facebook\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;t=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system&#038;s=100&#038;p&#091;url&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;p&#091;images&#093;&#091;0&#093;=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2020%2F09%2Fnon-domain-hacker.png&#038;p&#091;title&#093;=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"Facebook\" title=\"Share on Facebook\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/facebook.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-twitter nolightbox\" data-provider=\"twitter\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Twitter\" href=\"https:\/\/twitter.com\/intent\/tweet?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;text=Check%20this%20Event%20Log%20Explorer%20blog%20post\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"twitter\" title=\"Share on Twitter\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/twitter.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-reddit nolightbox\" data-provider=\"reddit\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Reddit\" href=\"https:\/\/www.reddit.com\/submit?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;title=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"reddit\" title=\"Share on Reddit\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/reddit.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-pinterest nolightbox\" data-provider=\"pinterest\" target=\"_blank\" rel=\"nofollow\" title=\"Pin it with Pinterest\" href=\"https:\/\/pinterest.com\/pin\/create\/button\/?url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;media=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-content%2Fuploads%2F2020%2F09%2Fnon-domain-hacker.png&#038;description=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"pinterest\" title=\"Pin it with Pinterest\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/pinterest.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-linkedin nolightbox\" data-provider=\"linkedin\" target=\"_blank\" rel=\"nofollow\" title=\"Share on Linkedin\" href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449&#038;title=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px;margin-right:5px\"><img alt=\"linkedin\" title=\"Share on Linkedin\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/linkedin.png\" \/><\/a><a class=\"synved-social-button synved-social-button-share synved-social-size-24 synved-social-resolution-single synved-social-provider-mail nolightbox\" data-provider=\"mail\" rel=\"nofollow\" title=\"Share by email\" href=\"mailto:?subject=How%20to%20display%20logons%20of%20non-domain%20users%20to%20the%20system&#038;body=Check%20this%20Event%20Log%20Explorer%20blog%20post:%20https%3A%2F%2Feventlogxp.com%2Fblog%2Fwp-json%2Fwp%2Fv2%2Fposts%2F449\" style=\"font-size: 0px;width:24px;height:24px;margin:0;margin-bottom:5px\"><img alt=\"mail\" title=\"Share by email\" class=\"synved-share-image synved-social-image synved-social-image-share\" width=\"24\" height=\"24\" style=\"display: inline;width:24px;height:24px;margin: 0;padding: 0;border: none\" src=\"https:\/\/eventlogxp.com\/blog\/wp-content\/plugins\/social-media-feather\/synved-social\/image\/social\/regular\/48x48\/mail.png\" \/><\/a>","protected":false},"excerpt":{"rendered":"<p>Sometimes you may need to display who logons your server except for the authenticated domain users. It could be authenticated users from the trusted domain, local users, system services, etc. First, we define that we will filter the Security log by Event Id = 4624 (as we did before). The event description of this event looks like An account was successfully logged on. Subject: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u2026 <span class=\"read-more\"><a href=\"https:\/\/eventlogxp.com\/blog\/how-to-display-logons-of-non-domain-users-to-the-system\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":455,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7,42,2],"tags":[19,32,34,23,4],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/449"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=449"}],"version-history":[{"count":2,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/449\/revisions"}],"predecessor-version":[{"id":454,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/449\/revisions\/454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/455"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}