7,023 questions
Hi p0shkar,
These Restrict NTLM GPOs will audit both NTLM and NTLM v2 traffic.
Best Regards,
Ian Xue
If the Answer is helpful, please click "Accept Answer" and upvote it.
Which version of NTLM is logged with the NTLM Audit GPO's?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 80%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
p0shkar
26
Reputation points
Does anyone know if the following two GPO's log only NTLM (v1) or both v1 and v2? Or do we have to enable "Logon Success Auditing" to figure that out?
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
20,223 questions
Windows for business | Windows Server | Devices and deployment | Configure application groups
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-01-04T04:51:39.04+00:00
-
p0shkar 26 Reputation points
2024-01-04T11:00:35.09+00:00 Thanks, this is what I was looking for.
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,266 Reputation points Moderator2024-01-03T16:48:54.6533333+00:00 Hi @p0shkar
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic => these seetings should be enough to enable NTLMv1 audit and identify the server still using this protocol by checking the event 4624.You can also enable "Logon Success Auditing if you want get more details but it's not required.
I invite you to read the following link for more details:
Auditing and restricting NTLM authentication using Group Policy
Please don't forget to accept helpful answer
-
p0shkar 26 Reputation points
2024-01-04T11:00:57.15+00:00 Thanks both for the answers!