How to Audit Successful Logon/Logoff and Failed Logons in Active Directory

by
11.07.2014   Auditing

The purpose of this post is to define the process to audit the successful or failed logon and logoff attempts in the network using the audit policies.

“Audit Logon Events” and “Audit Account Logon Events”, meant for monitoring the logon/logoff events, are disabled by default. It is required to enable these policies manually. Before going to learn how to enable these policies, it is important to know in brief about them.

Audit Logon Events policy defines the auditing of every user attempt to log on to or log off from a computer. The account logon events on the domain controllers are generated for domain account activities, whereas these events on the local computers are generated for the local user account activities.

Audit Account Logon Events policy defines the auditing of every event generated on a computer, which is used to validate the user attempts to log on to or log off from another computer. Such account logon events are generated and stored on the domain controller, when a domain user account is authenticated on that domain controller. For local user accounts, these events are generated and stored on the local computer when a local user is authenticated on that computer.

How to enable “Audit Logon Events”

    • Run gpmc.msc command to open Group Policy Management Console

    • If you want to apply this on whole domain then Right click on the Domain Object and click on Create a GPO in this domain, and Link it here….

Note- If you do not want to apply this on whole domain then you can select any OU rather selecting a domain.

    • Write a new GPO name as shown in below image

    • A new GPO “Logon Logoff Reports” created. Right click on this and click on Edit option

    • A new window of Group Policy Management Editor (GPME) will open.
    • Now under Computer Configuration go to Policies node and expand it as
      Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
    • In the right hand panel of GPME, either Double click on “Audit logon events” or Right Click -> Properties on “Audit logon events”
    • A new window of “Audit logon events” properties will open. Check “Success” and “Failure” boxes and click “Ok”

  • Now, run gpupdate /force to update GPO

Now, we have successfully enabled “Audit Logon Events”

How to enable “Audit Account Logon Events”

    • Run gpmc.msc command to open Group Policy Management Console.

    • Now, expand Domain Controllers node, Right-click on the “Default Domain Controllers Policy” and click “Edit”.

Note- You can also create your own GPO as we did for “Audit Logon Events” in case if you do not want to edit Default Domain Controllers Policy.

    • A new window of Group Policy Management Editor (GPME) will open.
    • In GPME windows, expand Computer Configuration, go to “Policies” node and expand it as Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
    • In the right hand panel of GPME, either Double click on “Audit account logon events” or Right Click -> Properties on “Audit account logon events”
    • A new window of “Audit account logon events” properties will open. Check “Success” and “Failure” boxes and Click on “OK”

  • Now, run gpupdate /force to update GPO

Now, we have successfully enabled “Audit account logon events”

The event ids for “Audit logon events” and “Audit account logon events” are given below.

*Operating System for above ids – Windows Server 2008 or higher

Issues with Native Auditing

The native auditing of Active Directory has numerous drawbacks. Multiple events are generated for a single event and it is very difficult to search for a particular event in the large pool of events. Event Viewer also consumes a lot of disk space to store the events for long term.

LepideAuditor – The best way to track Logon/Logoff in Active Directory

Lepide’s Active Directory audit solution overcomes the limitations of native auditing and provides an easiest way to track all the logon/logoff activities of Active Directory users.Figure 1: Successful User Logon Logoff report

Figure 2: Failed Logon Report

It is very easy to install and configure LepideAuditor for Active Directory to audit your domain’s Active Directory and Group Policy. You can download the free trial and test your own.

You have to check these event ids in security logs to track successful logon / logoff and failed logon attempts. All the above-mentioned procedure to audit successful and failed Logon / Logoff in Active Directory can be simplified with the help of LepideAuditor for Active Directory. With this, you can make the entire auditing process simple and thus helps to maintain secure AD environment.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2017 Lepide Software Private Limited. All Trademarks Acknowledged.