If you have Active Directory installed on your network, you might experience the need to find out who has logon to what computer and when. In this guide we'll explore how to do this
First of all, a summary of what log Event ID number in Event Viewer means:
|4624||Success||A user successfully logged on to the Domain|
|4625||Failure||An account failed to log on to the Domain|
Create the GPO
Open Group Policy Management in your Forest Root Domain Controller (FRDC) and create a new GPO called "Account Logon Audit"
Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory setting, and set it as "Enabled". That will enable the advance auditing policies for us
Then, change this policy, which the one that we really want
Visit the client computer (after running gpupdate /force) in question and run the following to determine if the advanced policies have been applied
auditpool /get /category:*
Edit the newly created policy, then visit Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account logon events and define the policy setting as enabled for "success"
Visit your OU and create a new group called "Group Account Logon", this is the group to which the GPO will be applied. Add into that group the computers and users that you want to log
Add the Group Account to the Security Filtering of the GPO