Saturday, 25 October 2014

AD User Logon Audit Events

Auditing AD user logon activity is one of the importance task for every System Admin to ensue AD Domain security. This auditing should includes user logon, logoff, logon failure and account lockout. Active Directory Logon and Logon failure events are categorized under following three categories

Account Logon/Logon failure Event IDs (Domain Controller events):

When a domain user login into his/her client pc which connected the Active Directory domain, the domain user account is authenticated by a domain controller (logon server) before login into client-pc. At this time, either logon or logon failure will event will be logged in the Domain Controller(logon server). Checkout the article Enable Account Logon Audit Event IDs to configure Group Policy to log account logon audit events in DC.

Event ID Event Type Reason
4768 Success/Failure A Kerberos authentication ticket (TGT) was requested to DC.
4769 Success/Failure A Kerberos service ticket was requested to DC.
4771FailureKerberos pre-authentication failed.
4776Success/FailureThe domain controller attempted to validate the credentials for an account.

Account Lockout Event ID: 4740

When a domain user login into his/her client pc which connected the Active Directory domain with wrong password continuously, the account lockout event 4740 will be logged in Domain Controller (logon server). See this article Event 4740 to know more about 4740.

Logon/Logoff events (Client events):

Logon/Logoff Audit events will be logged in local computer, when a user login either by using a domain account or a local account. The logon (4624) and logon failure (4625) event contains the detailed info about user logon activity. Checkout the article Enable Logon/Logoff Audit Event IDs to configure Group Policy to log logon audit events in client-pc.

Event ID Audit Type Event Type Reason
4624 Logon Success An account was successfully logged on.
4625 Logon Failre User account failed to log on.
4634 Logoff Success User account was logged off.
4647 Logoff Success 4647: User initiated logoff.


Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment