Summary:
- Event ID 4769 Source
- Enable Event 4769 through Group Policy
- Enable Event 4769 via Auditpol
- Stop Event 4769 via GPO and Auditpol
Event ID 4769 Source
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/17/2014 4:48:29 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Keywords: Audit Success Computer: MTSDC1.TestDomain.local Description: A Kerberos service ticket was requested. Account Information: Account Name: [email protected] Account Domain: TESTDOMAIN.LOCAL Logon GUID: {77a5de7f-8fc6-0cb6-f468-ab81a180ff0e} Service Information: Service Name: MTSDC1$ Service ID: TESTDOMAINMTSDC1$ Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.
Enable Event 4769 via Group Policy
To enable event id 4769 in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of each and every Domain Controller..
Follow the below steps to enable event 4769 via Default Domain Controllers Policy.
1. Press the key ‘Window’ + ‘R’
2. Type the command gpmc.msc, and click OK.
Note: Skip the above steps by clicking Start –>Administrative Tools –>Group Policy Management.
3. Expand the domain node and Domain Controllers OU, right–click on the Default Domain Controllers Policy, then click Edit. – refer the below image.
4. Expand Computer Configuration node and Security Settings and navigate to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon).
5. In right-side pane, double-click on Audit account logon events and set Success and Failure setting to enable kerberos logon event 4769.
Note: In Windows 2008 R2 and later versions, you can also control this event by subcategory-level setting via Advanced Audit Policy Configuration.
Expand Computer Configuration and Security Settings and navigate to the node Account Logon (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon) and set the setting Audit Kerberos Service Ticket Operations as Success and Failure
6. Run the command gpupdate /force from command prompt to update Group Policy settings.
Enable Event 4769 via Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable Event 4769through Kerberos Service Ticket Operations subcategory by using the following command
Success Audit:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable
Failure Audit:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /Failure:enable
To update or refresh GPO settings, run the command gpupdate/force
Disable/Stop Event ID 4769
You can disable or stop the audit Event ID 4769 by removing success and failure audit of Kerberos Service Ticket Operations subcategory by using the following command.
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable
You can also stop this event by removing the success and failure setting from the Default Domain Controller Policy’s category level setting path (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit account logon events)
or by subcategory level setting (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit Kerberos Service Ticket Operations)
Thanks,
Morgan
Software Developer
ugghh,,, geting 4768,, but no 4769 ???,, applied in the advanced audit settings ,, as we have 2012 r2,, and I even tried the command line settings,,,
any other ideas ? thx
You have to very careful when you apply advanced settings. Please run the command rsop.msc (Resultant Set Of Policy) or gpedit.msc to check the settings are configured properly.