Enable Active Directory Logon/Logoff Audit events

by

Logon/Logoff Audit

In Active Directory based domain system, Logon , Logoff, Logon Failures events are controlled by the two security policy settings.
    1. Audit logon events. (4624,4625,4648,4634,4647,4672,4778)
    2. Audit account logon events. (4776,4768,4769,4770,4771,4772,4773,4774)

Audit logon events (Client Events)

   – The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account.
   – On Domain Controller, this policy records attempts to access the DC only.
   – By using these events we can track user’s logon duration by mapping logon and logoff events with user’s Logon ID which is unique between user’s logon and logoff . Refer this article: Tracking User Logon Activity using Logon and Logoff Events

Next: Steps to enable Audit Logon events (client events)

Audit account logon events (DC Events)

  –  Account logon events are generated when a domain user account is authenticated on a domain controller.
  – These events will be logged in Domain Controller’s security log.
  – If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM


Next: Steps to enable Account Logon events (DC events)

Steps to enable Audit Logon events-(Client Logon/Logoff)

 1. Open the Group Policy Management Console by running the command gpmc.msc.

 2. Right-click on the domain object and click Create a GPO in this domain, and Link it here… ( if you don’t want to apply this policy on whole domain, you can select your own OU instead of domain that you want to apply this policy).

enable logon logoff audit events

 

3. Type new GPO name : Logon Logoff Auidit Policy. and click OK

configure logon logoff events

 4. Right-click on the newly created Logon Logoff Audit Policy and click Edit.

enable logon logoff audit events

 5. Expand Computer Configuration, and go to the node Audit Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy).

6. Double-click on the policy setting Audit logon events, check Success and Failure audit, and click OK

 
enable logon logoff events
 

7. Now, update gpo by running the command gpupdate/force


Now we have successfully configured Logon/Logoff Audit events.

Steps to enable Audit Account Logon events – (Domain Controller Logon events)

 1. Open the Group Policy Management Console by running the command gpmc.msc.  

 2. Expand the node Domain Controllers, Right-click on the GPO Default Domain Controllers Policy and click Edit. ( if you don’t want to edit Default Domain Controllers Policy, you can create your own gpo as we did for logon/logoff audit).

enable dc account logon audit events

3. Expand Computer Configuration, and go to the node Audit Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy).

4. Double-click on the policy setting Audit account logon events, check Success and Failure audit, and click OK

enable account logon audit events
5. Now, update gpo by running the command gpupdate/force  

Now we have successfully configured Account logon and logon failure audit events.

Thanks,
Morgan
Software Developer

Related Posts

Advertisement