Nazaudy, a spark in your curious mind

How to audit user logon sessions in Active Directory using Event ID

This article explains you how to audit user logon sessions in Active Directory using Event ID that can be found in the Windows Operating System

The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy.If you have Active Directory installed on your network, you might experience the need to find out who has logon to what computer and when. In this guide we'll explore how to do this

First of all, a summary of the Event IDs that we need to look for:

Event ID Type Description
4624 Success A user successfully logged on to the Domain
4625 Failure An account failed to log on to the Domain
     
     

 

Create the GPO

Open Group Policy Management in your Forest Root Domain Controller (FRDC) and create a new GPO called "Account Logon Audit"

 How to audit user logon sessions in Active Directory using Event ID

Edit the newly created policy, then visit Computer Configuration Policies >> Windows Settings >> Security Settings >> Local Policies >> Audit Policy >> Audit account logon events and define the policy setting as enabled for "success". Optionally, you can also enable the "failure" is you want to record when somebody enters a wrong password or username

Audit policy for How to audit user logon sessions in Active Directory using Event ID

Once you have done that, visit .... Security Settings >> Local Policies >> Security Options and enable "Audit: Force audit policy subcategory setting" ; that will set the "SCENoApplyLegacyAuditPolicy" in the registry preventing basic audit policies from being applied

MS Audit Advance Option

 

Edit the newly created policy, then visit Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory setting, and set it as "Enabled".  That will enable the advanced auditing policies for us

How to audit user logon sessions in Active Directory using Event ID

When using "Advanced Audit Policy Configuration Settings" you need to ensure these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflict by blocking or disabling of any basic audit policy setting, thus preventing from Basic (9 settings only) and Advanced Audit (53 settings in total) Policies from being mixed. The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy.

 

Finally, visit your OU and create a new group called "Group Account Logon", this is the group to which the GPO will be applied. Add into that group the computers and users that you want to log

Group account logon

Add the Group Account to the Security Filtering of the GPO

Visit the client computer (after running gpupdate /force) in question and run the following to determine if the advanced policies have been applied

A test command that you can issue too is: auditpool /get /category:*

 

If you like this article about how to audit user logon sessions in Active Directory using Event ID, you might be interested in this other one too: https://www.nazaudy.com/setup-and-configure-a-public-key-infrastructure-pki

 

References