Does the event 540 help me to distinguish between user and administrator access? This event is generated ypon successfull logon, but logon to what exactly? Could be a successful logon to everything on the system? Is there any other way to log the administrator access to the system itself using Event viewer? Thank you for your valuable response Georges

Hi, As far as I know, we cannot distinguish between user and administrator access from event 540. For more information, please refer to: Event ID: 540 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 Events 528 and 540 http://blogs.msdn.com/b/ericfitz/archive/2004/12/09/279282.aspx Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.