Auditing AD user logon activity is one of the importance task for every System Admin to ensue AD Domain security. This auditing should includes user logon, logoff, logon failure and account lockout. Active Directory Logon and Logon failure events are categorized under following three categories
- Account Logon/Logon failure Events (Domain Controller events)
- Account Lockout Event
- Logon/Logoff events (client events)
Account Logon/Logon failure Event IDs (Domain Controller events):When a domain user login into his/her client pc which connected the Active Directory domain, the domain user account is authenticated by a domain controller (logon server) before login into client-pc. At this time, either logon or logon failure will event will be logged in the Domain Controller(logon server). Checkout the article Enable Account Logon Audit Event IDs to configure Group Policy to log account logon audit events in DC.
|Event ID||Event Type||Reason|
|4768||Success/Failure||A Kerberos authentication ticket (TGT) was requested to DC.|
|4769||Success/Failure||A Kerberos service ticket was requested to DC.|
|4771||Failure||Kerberos pre-authentication failed.|
|4776||Success/Failure||The domain controller attempted to validate the credentials for an account.|
Account Lockout Event ID: 4740When a domain user login into his/her client pc which connected the Active Directory domain with wrong password continuously, the account lockout event 4740 will be logged in Domain Controller (logon server). See this article Event 4740 to know more about 4740.
Logon/Logoff events (Client events):Logon/Logoff Audit events will be logged in local computer, when a user login either by using a domain account or a local account. The logon (4624) and logon failure (4625) event contains the detailed info about user logon activity. Checkout the article Enable Logon/Logoff Audit Event IDs to configure Group Policy to log logon audit events in client-pc.
|Event ID||Audit Type||Event Type||Reason|
|4624||Logon||Success||An account was successfully logged on.|
|4625||Logon||Failre||User account failed to log on.|
|4634||Logoff||Success||User account was logged off.|
|4647||Logoff||Success||4647: User initiated logoff.|