Enable Active Directory Logon/Logoff Audit events

Logon/Logoff Audit

In Active Directory based domain system, Logon , Logoff, Logon Failures events are controlled by the two security policy settings.
    1. Audit logon events. (4624,4625,4648,4634,4647,4672,4778)
    2. Audit account logon events. (4776,4768,4769,4770,4771,4772,4773,4774)

Audit logon events (Client Events)

   – The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account.
   – On Domain Controller, this policy records attempts to access the DC only.
   – By using these events we can track user’s logon duration by mapping logon and logoff events with user’s Logon ID which is unique between user’s logon and logoff . Refer this article: Tracking User Logon Activity using Logon and Logoff Events

Next: Steps to enable Audit Logon events (client events)

Audit account logon events (DC Events)

  –  Account logon events are generated when a domain user account is authenticated on a domain controller.
  – These events will be logged in Domain Controller’s security log.
  – If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM


Next: Steps to enable Account Logon events (DC events)

Steps to enable Audit Logon events-(Client Logon/Logoff)

 1. Open the Group Policy Management Console by running the command gpmc.msc.

 2. Right-click on the domain object and click Create a GPO in this domain, and Link it here… ( if you don’t want to apply this policy on whole domain, you can select your own OU instead of domain that you want to apply this policy).

enable logon logoff audit events

 

3. Type new GPO name : Logon Logoff Auidit Policy. and click OK

configure logon logoff events

 4. Right-click on the newly created Logon Logoff Audit Policy and click Edit.

enable logon logoff audit events

 5. Expand Computer Configuration, and go to the node Audit Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy).

6. Double-click on the policy setting Audit logon events, check Success and Failure audit, and click OK

 
enable logon logoff events
 

7. Now, update gpo by running the command gpupdate/force


Now we have successfully configured Logon/Logoff Audit events.

Steps to enable Audit Account Logon events – (Domain Controller Logon events)

 1. Open the Group Policy Management Console by running the command gpmc.msc.  

 2. Expand the node Domain Controllers, Right-click on the GPO Default Domain Controllers Policy and click Edit. ( if you don’t want to edit Default Domain Controllers Policy, you can create your own gpo as we did for logon/logoff audit).

enable dc account logon audit events

3. Expand Computer Configuration, and go to the node Audit Policy (Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy).

4. Double-click on the policy setting Audit account logon events, check Success and Failure audit, and click OK

enable account logon audit events
5. Now, update gpo by running the command gpupdate/force  

Now we have successfully configured Account logon and logon failure audit events.

Thanks,
Morgan
Software Developer

Advertisement

13 thoughts on “Enable Active Directory Logon/Logoff Audit events”

  1. Really a very informative article !
    Though, I use an automated tool from Lepide i.e.,(http://www.lepide.com/active-directory-audit/) to find logon events of my users in domain. This works awesome and is very helpful to achieve my goal quickly. Instant alert feature is much helpful that alerts instantly by sending customized email notification when someone trying to make any changes even at granular level or any critical changes occurred in active directory.

    Reply
  2. Hi,

    Thanks for the article but appreciate if you can respond to the following scenario:

    In an active directory environment, how can we capture only logs related to interactive logons of the user. Most of the time logon logs are creating noise by showing type 3 logons but how can we only enable type 2 to determine the actual user logon?

    Regards,
    Faisal

    Reply
  3. I enable the log following this guide, but still my event viewer is not showing eventID 4624.
    any other place that I should be looking, we've just installed sourceFire agent and it needs the event 4624 for the content filtering to work properly.
    my thanks

    Reply
    • check the Resultant Set of Policy (Rsop) to find the configured policies are applied or not, by running the command "rsop.msc"….you can also check it through auditpol command: "Auditpol /get /category:*"

      Reply
  4. Hello,

    Very good post.

    One thing is not crystal clear. I read quite many docs and to my understanding, event 4624 is logged on the workstation that is accessed. The question is how come and we can see event 4624 in the AD events if this is only created on the remote machine?

    Kind regards

    Mikis

    Reply

Leave a Comment