The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy.If you have Active Directory installed on your network, you might experience the need to find out who has logon to what computer and when. In this guide we'll explore how to do this

First of all, a summary of the Event IDs that we need to look for:

Event ID Type Description
4624 Success A user successfully logged on to the Domain
4625 Failure An account failed to log on to the Domain
     
     

 

Create the GPO

Open Group Policy Management in your Forest Root Domain Controller (FRDC) and create a new GPO called "Account Logon Audit"

 

 

Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory setting, and set it as "Enabled".  That will enable the advance auditing policies for us

Then, change this policy, which the one that we really want

 

Visit the client computer (after running gpupdate /force) in question and run the following to determine if the advanced policies have been applied

auditpool /get /category:*

 

 

Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account logon events and define the policy setting as enabled for "success"

 

 

Visit your OU and create a new group called "Group Account Logon", this is the group to which the GPO will be applied. Add into that group the computers and users that you want to log

 

Add the Group Account to the Security Filtering of the GPO

 

 Note:

When using "Advanced Audit Policy Configuration Settings" you need to ensure these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflict by blocking or disabling of any basic audit policy setting, thus preventing from Basic (9 settings only) and Advanced Audit (53 settings in total) Policies from being mixed.

Visit .... Security Settings >> Local Policies >> Security Options and enable "Audit: Force audit policy subcategory setting" ; that will set the "SCENoApplyLegacyAuditPolicy" in the registry preventing basic audit policies from being applied

The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy.

 

References

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

https://www.morgantechspace.com/2013/10/logon-and-logoff-events-in-active.html

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events

 

Print Friendly, PDF & Email

Comments powered by CComment