How to enable Windows 11 system user login and behavior audit log features?

tj_zero 65 Reputation points
2023-09-12T08:37:47.3333333+00:00

How to enable Windows 11 system user login and behavior audit log features?

Hope to achieve the following objectives;

  1. Record the user ID login information and record the operation content in as much detail as possible; (e.g., file deletion or access)
  2. Set the PC log to be saved to the specified PC; (Remote records to avoid tampering and destruction)

This is a necessary condition for direct behavior tracing of common PC users;

Hope to have this experience of engineers to help, thank you;

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,414 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Darrell Gorter 1,791 Reputation points
    2023-09-12T17:27:55.7866667+00:00

    Hello,

    There are some policies you can use to track some of items you list.

    I would start by running gpedit.msc

    and looking at the following sections:Event_Viewer

    You can use wevtutil to retrieve event log information.

    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

    Thanks

    Darrell


  2. チャブーン 1,281 Reputation points MVP
    2023-09-14T06:07:32.49+00:00

    Hi, tj_zero

    This is Chaboon.

    First, You should understand that user logon auditing and file access auditing are configured separately.

    For example, You audit Security Log Event ID 4648 and 4647 in Windows 11, see below articles,

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647

    For file access auditing, configure the auditing settings using group policy, and then configure the settings for the "file server" resources that you want to audit. see below article,

    https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html

    Audit logs output to Windows 11 and file servers, you can be collected in one place with event log subscription.see below article,

    https://sid-500.com/2018/04/23/active-directory-configuring-event-log-subscriptions-forwarding/

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.