Logging authentication events

Question

Logging authentication events

Madman2112 111

I use Active Directory on Windows server 2012 R2 Standard. We have over 700 clients through out our company that connects to AD. I would like to start logging authentication events in all of our systems. I need to be able to track when our admin accounts are being used. If we get attacked, I want to be able to look through a log to see where they've been. Would anyone have some feedback on how I can go about doing this. Your feedback would be greatly appreciated.

Anonymous

2020-09-25T07:37:56.377+00:00

Hello @Madman2112 ,
Good day!
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou
Anonymous

2020-09-28T07:33:49.417+00:00

Hello @Madman2112 ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Madman2112 111 Reputation points

2020-09-28T18:57:13.82+00:00

Thank you for your response. This will work. However I just need this to work for Domain admins. How would I setup the location and the Cope to just effect Domain Admins and no one else?
Anonymous

2020-09-30T10:33:33.043+00:00

Hello @Madman2112 ,

Audit policy is computer configuration, not user configuration.

If we configured this audit policy for one computer, no matter what account logs in with which logon type on this machine, the logon event will be logged.

Best Regards,
Daisy Zhou

Accepted answer

0 additional answers

Your answer

Anonymous

2020-09-25T07:37:56.377+00:00

Hello @Madman2112 ,
Good day!
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou
Anonymous

2020-09-28T07:33:49.417+00:00

Hello @Madman2112 ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Madman2112 111 Reputation points

2020-09-28T18:57:13.82+00:00

Thank you for your response. This will work. However I just need this to work for Domain admins. How would I setup the location and the Cope to just effect Domain Admins and no one else?
Anonymous

2020-09-30T10:33:33.043+00:00

Hello @Madman2112 ,

Audit policy is computer configuration, not user configuration.

If we configured this audit policy for one computer, no matter what account logs in with which logon type on this machine, the logon event will be logged.

Best Regards,
Daisy Zhou

Answer 1

Hello @Madman2112 ,

Thank you for posting here.

We can configure the audit policy setting as below.

GPO: Default Domain Policy

Legacy audit policy:

Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Logon Events – Successs and Failure

OR use advanced audit policies (advanced audit policies will overwrite traditional audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Logon/Logoff: Audit Logon – SUccess and Failure

After that we can update GPO on clients.

When any account are logged on one clients, we can check the 2624 (successful log on ) and 4625 (failed log on) through Security logs in Event Viewer.

References
4625(F): An account failed to log on.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

4624(S): An account was successfully logged on.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Best Regards,
Daisy Zhou

Share via

Logging authentication events

0 additional answers

Your answer