If you have Active Directory installed on your network, you might experience the need to find out who has logon to what computer and when. In this guide we'll explore how to do this

First of all, a summary of what log Event ID number in Event Viewer means:

Event ID Type Description
4624 Success A user successfully logged on to the Domain
4625 Failure An account failed to log on to the Domain
     
     

 

Create the GPO

Open Group Policy Management in your Forest Root Domain Controller (FRDC) and create a new GPO called "Account Logon Audit"

 

 

Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory setting, and set it as "Enabled".  That will enable the advance auditing policies for us

Then, change this policy, which the one that we really want

 

Visit the client computer (after running gpupdate /force) in question and run the following to determine if the advanced policies have been applied

auditpool /get /category:*

 

 

Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account logon events and define the policy setting as enabled for "success"

 

 

Visit your OU and create a new group called "Group Account Logon", this is the group to which the GPO will be applied. Add into that group the computers and users that you want to log

 

Add the Group Account to the Security Filtering of the GPO

 

 

 

References

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

https://www.morgantechspace.com/2013/10/logon-and-logoff-events-in-active.html

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

 

Print Friendly, PDF & Email

Comments powered by CComment