Once the domain controller tells the workstation that the user is authenticated, the workstation proceeds with creating the logon session and a records a logon event (528/4624) in its security log.
What if we logon to the workstation with an account from a trusted domain?
For that matter the logon could be associated with a service starting or a scheduled task kicking off.Are authentication events a duplicate of logon events?No: the reason is because authentication may take place on a different computer than the one into which you are logging. You are logging onto at the console (aka “interactive logon”) of a standalone workstation (meaning it is not a member of any domain).In this case both the authentication and logon occur on the very same computer because you logged on to the local computer using a local account.Therefore you will see both an Account Logon event (680/4776 ) and a Logon/Logoff (528/4624) event in its security log.Each Windows computer is responsible for maintaining its own set of active logon sessions and there is no central entity aware of everyone who is logged on somewhere in the domain.After servicing an authentication request, the domain controller doesn’t maintain information about how you were logging (console, remote desktop, network, etc) or when you logged off.You can correlate logon and logoff events by Logon ID which is a hexadecimal code that identifies that particular logon session.After logging on to a workstation you can typically re-connect to shared folders on a file server. Remember, whenever you access a Windows computer you must obtain a logon session – in this case a “network logon” session.In all such cases you will need to look at the Logon Type specified in the logon event 528/540/4624.A full list of Logon Types is provided at the provided links for those events but in short: When you logon to your workstation or access a shared folder on a file server, you are not “logging onto the domain”.