How to Audit Successful Logon/Logoff and Failed Logons in Active Directory

Avatar by    Updated On - 01.21.2021   Auditing

The purpose of this post is to define the process to audit the successful or failed logon and logoff attempts in the network using the audit policies.

“Audit Logon Events” and “Audit Account Logon Events”, meant for monitoring the logon/logoff events, are disabled by default. It is required to enable these policies manually. Before going to learn how to enable these policies, it is important to know in brief about them.

Audit Logon Events policy defines the auditing of every user attempt to log on to or log off from a computer. The account logon events on the domain controllers are generated for domain account activities, whereas these events on the local computers are generated for the local user account activities.

Audit Account Logon Events policy defines the auditing of every event generated on a computer, which is used to validate the user attempts to log on to or log off from another computer. Such account logon events are generated and stored on the domain controller, when a domain user account is authenticated on that domain controller. For local user accounts, these events are generated and stored on the local computer when a local user is authenticated on that computer.

How to enable “Audit Logon Events”

    • Run gpmc.msc command to open Group Policy Management Console

    • If you want to apply this on whole domain then Right click on the Domain Object and click on Create a GPO in this domain, and Link it here….

Note- If you do not want to apply this on whole domain then you can select any OU rather selecting a domain.

    • Write a new GPO name as shown in below image

    • A new GPO “Logon Logoff Reports” created. Right click on this and click on Edit option

    • A new window of Group Policy Management Editor (GPME) will open.
    • Now under Computer Configuration go to Policies node and expand it as
      Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
    • In the right hand panel of GPME, either Double click on “Audit logon events” or Right Click -> Properties on “Audit logon events”
    • A new window of “Audit logon events” properties will open. Check “Success” and “Failure” boxes and click “Ok”

  • Now, run gpupdate /force to update GPO

Now, we have successfully enabled “Audit Logon Events”

How to enable “Audit Account Logon Events”

    • Run gpmc.msc command to open Group Policy Management Console.

    • Now, expand Domain Controllers node, Right-click on the “Default Domain Controllers Policy” and click “Edit”.

Note- You can also create your own GPO as we did for “Audit Logon Events” in case if you do not want to edit Default Domain Controllers Policy.

    • A new window of Group Policy Management Editor (GPME) will open.
    • In GPME windows, expand Computer Configuration, go to “Policies” node and expand it as Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
    • In the right hand panel of GPME, either Double click on “Audit account logon events” or Right Click -> Properties on “Audit account logon events”
    • A new window of “Audit account logon events” properties will open. Check “Success” and “Failure” boxes and Click on “OK”

  • Now, run gpupdate /force to update GPO

Now, we have successfully enabled “Audit account logon events”

The event ids for “Audit logon events” and “Audit account logon events” are given below. You have to check these event ids in security logs to track successful logon / logoff and failed logon attempts.

*Operating System for above ids – Windows Server 2008 or higher

How to Filter the Security Event Log

  1. Go to “Start Menu” ➔ ”All Programs” ➔ ”Administrative Tools” ➔ “Event Viewer”
  2. In the left panel, go to Windows Logs” ➔ “Security” to view the security logs
  3. For an example let’s search for Event ID 4648 to get the particular record.
  4. A dialog box appears confirming that “a logon was attempted using explicit credentials”.

Issues with Native Auditing

The native auditing of Active Directory has numerous drawbacks. Multiple events are generated for a single event and it is very difficult to search for a particular event in the large pool of events. Event Viewer also consumes a lot of disk space to store the events for long term.

All the above-mentioned procedure to audit successful and failed Logon / Logoff in Active Directory can be simplified with the help of Lepide Active Directory Auditor. With this, you can make the entire auditing process simple and thus helps to maintain secure AD environment.

How Lepide Active Directory Auditor tracks Logon/Logoff in Active Directory

Lepide’s Active Directory audit solution (part of Lepide Data Security Platform) overcomes the limitations of native auditing and provides an easiest way to track all the logon/logoff activities of Active Directory users.Figure 1: Successful User Logon Logoff report

Figure 2: Failed Logon Report

It is very easy to install and configure. You can download the 15-Day free trial and test your own.

Comments are closed.