Wednesday, 9 October 2013

Enable Active Directory Logon/Logoff Audit events

Logon/Logoff Audit

In Active Directory based domain system, Logon , Logoff, Logon Failures events are controlled by the two security policy settings.
    1. Audit logon events. (4624,4625,4648,4634,4647,4672,4778)
    2. Audit account logon events. (4776,4768,4769,4770,4771,4772,4773,4774)

Audit logon events (Client Events)

   - The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account.
   - On Domain Controller, this policy records attempts to access the DC only.
   - By using these events we can track user's logon duration by mapping logon and logoff events with user's Logon ID which is unique between user's logon and logoff . Refer this article: Tracking User Logon Activity using Logon and Logoff Events

Next: Steps to enable Audit Logon events (client events)

Audit account logon events (DC Events)

  -  Account logon events are generated when a domain user account is authenticated on a domain controller.
  - These events will be logged in Domain Controller's security log.
  - If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM

Next: Steps to enable Account Logon events (DC events)

Steps to enable Audit Logon events-(Client Logon/Logoff)

 1. Open the Group Policy Management Console by running the command gpmc.msc.

 2. Right-click on the domain object and click Create a GPO in this domain, and Link it here... ( if you don't want to apply this policy on whole domain, you can select your own OU instead of domain that you want to apply this policy).

enable logon logoff audit events


 3. Type new GPO name : Logon Logoff Auidit Policy. and click OK


configure logon logoff events


 4. Right-click on the newly created Logon Logoff Audit Policy and click Edit.


enable logon logoff audit events


 5. Expand Computer Configuration, and go to the node Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy).

6. Double-click on the policy setting Audit logon events, check Success and Failure audit, and click OK


enable logon logoff events


7. Now, update gpo by running the command gpupdate/force

Now we have successfully configured Logon/Logoff Audit events.


Steps to enable Audit Account Logon events - (Domain Controller Logon events)

 1. Open the Group Policy Management Console by running the command gpmc.msc.

 2. Expand the node Domain Controllers, Right-click on the GPO Default Domain Controllers Policy and click Edit. ( if you don't want to edit Default Domain Controllers Policy, you can create your own gpo as we did for logon/logoff audit).

enable dc account logon audit events


3. Expand Computer Configuration, and go to the node Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy).

4. Double-click on the policy setting Audit account logon events, check Success and Failure audit, and click OK

enable account logon audit events


5. Now, update gpo by running the command gpupdate/force

Now we have successfully configured Account logon and logon failure audit events.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

14 comments:

  1. Where can I find exactely the logfile for this policy ?

    ReplyDelete
    Replies
    1. You can find logon events, in Security events category in Event Viewer - run command eventvwr.msc to see Event Viewr

      Delete
  2. Really a very informative article !
    Though, I use an automated tool from Lepide i.e.,(http://www.lepide.com/active-directory-audit/) to find logon events of my users in domain. This works awesome and is very helpful to achieve my goal quickly. Instant alert feature is much helpful that alerts instantly by sending customized email notification when someone trying to make any changes even at granular level or any critical changes occurred in active directory.

    ReplyDelete
  3. Morgan, Could you provide me any programming or script for doing the same?

    ReplyDelete
    Replies
    1. what kind of script you want ? do you want a script to enable logon audit policy settings or u want script to read logon events?

      Delete
  4. If you direct me to get a script for enable logon audit policy settings.Thansk morgan

    ReplyDelete
  5. Hi,

    Thanks for the article but appreciate if you can respond to the following scenario:

    In an active directory environment, how can we capture only logs related to interactive logons of the user. Most of the time logon logs are creating noise by showing type 3 logons but how can we only enable type 2 to determine the actual user logon?

    Regards,
    Faisal

    ReplyDelete
    Replies
    1. Sorry Faisal, to my knowledge, this is not possible.

      Delete
  6. I enable the log following this guide, but still my event viewer is not showing eventID 4624.
    any other place that I should be looking, we've just installed sourceFire agent and it needs the event 4624 for the content filtering to work properly.
    my thanks

    ReplyDelete
    Replies
    1. check the Resultant Set of Policy (Rsop) to find the configured policies are applied or not, by running the command "rsop.msc"....you can also check it through auditpol command: "Auditpol /get /category:*"

      Delete
  7. Hello,

    Very good post.

    One thing is not crystal clear. I read quite many docs and to my understanding, event 4624 is logged on the workstation that is accessed. The question is how come and we can see event 4624 in the AD events if this is only created on the remote machine?

    Kind regards

    Mikis

    ReplyDelete
    Replies
    1. Having the same issue. How to collect these events on AD.

      Delete
  8. Didnt work, still not getting 4625 logged in AD.

    ReplyDelete