![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 30%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Tin Huynh,
Thank you for posting in Q&A forum.
Based on the description, how did you configure the
Audit Logon Events (Success, Failure) within the Default Domain Controller Policy?
Legacy audit policy or advanced audit policies? Here is the advanced audit policies and Legacy audit policy.
Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Logon Events – Success and Failure
Advanced audit policies:
Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default once you enable any one advanced audit policy):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Logon/Logoff:
Audit Logon – Success and Failure
Note:
1.If you have never configured any advanced audit policy before, then you configure the legacy audit policy.
2.If you have configured any advanced audit policy before, then you have configured the advanced audit policy.
3.Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.
If you configured by advanced audit policy, please run command gpupdate /force
to refresh GPO on DC and run command auditpol /get /category:* on DC to view the advanced audit policy we configured.
After you configured Audit Logon Events (Success, Failure) within the Default Domain Controller Policy, you can try to sign in Domain Controller using domain Administrator or domain user account to see if you can see event ID 4625 (sigin in failure) or 4624 (sign in success).
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
==========================================
If the Answer is helpful, please click "Accept Answer" and upvote it.