Can event ID 530, which implies that a user tried to log on outside the allowed time of day, also indicate that a user left a computer running outside the allowed time of day—for example, by going home without turning off his or her computer? If so, how can I distinguish the two situations?
A workstation left on after a user departs for the day can log event ID 530 if a program (either already running or a scheduled task) on the workstation tries to initiate a connection to a server outside the user's allowed logon window. Event ID 530 doesn't let you discern whether a user tried to log on or a program tried to connect to a server.
However, you can look in the domain controller (DC) Security event log for event ID 673 with failure code 0xC (if the workstation is running Windows 2000 or later and is part of the forest) or event ID 681 with error code 3221225583 (if the workstation OS is earlier than Win2K). Event ID 673 denotes a failed logon through the Kerberos authentication protocol and provides the client workstation's IP address. You can trace this event back to the workstation's media access control (MAC) address by reviewing your DHCP server's event log under \%systemroot%\system32\dhcp. Event ID 681 denotes a failed logon through the Windows NT LAN Manager (NTLM) authentication protocol and provides the client workstation's computer name.