Sunday, 21 December 2014

Group Policy: Account logon vs Logon events

Both are Logon Audit Polices in Group Policy. In Active Directory based domain system, Logon , Logoff and Logon Failures events are controlled by these two security policy settings.

Audit Logon events (Client Events)

  • The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account.
  • On Domain Controller, this policy records attempts to access the DC only.
  • It records both Logon and Logoff events whereas Account Logon logs only Logon events.
  • By using these events we can track user's logon duration by mapping logon and logoff events with user's Logon ID which is unique between user's logon and logoff . (Refer this article: Tracking User Logon Activity using Logon and Logoff Events)
  • Refer this article: Steps to enable Audit Logon events (client events) to configure the Logon and Logoff events.

Audit account logon events (DC Events)

  • Account logon events are generated when a domain user account is authenticated on a domain controller.
  • These events will be logged in Domain Controller's security log.
  • If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM
  • This is a authentication event, so it logs only Logon events, it means, logs the event whenever a user authenticated by Domain Controller.
  • Refer this article: Steps to enable Account Logon events (DC events) to configure Account Logon events.


No comments:

Post a Comment