Domain Controller not showing account logins in Event Viewer (auditing enabled)

Joe Grover 566 Reputation points
2024-07-26T11:45:25.6933333+00:00

I have several sites, each of which has a GC domain controller in it. Replication seems to be working fine.

I want to audit account logons and failures, so I enabled Success and Failure for Account Logon Events in group policy, but it doesn't seem to be working (this was in the Default Domain Policy). I then went to enable it in the Domain Controller policy but it was already enabled there.

I'm not sure why it doesn't appear to be capturing the authentication events. I ran auditpol /get /category:* and the only auditing it shows active is under Account Management (Security Group Management and User Account Management)--all of the other things I have enabled in either the Default Domain Policy or the Domain Controller policy show as "No Auditing."

What else should I be looking at?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 29,471 Reputation points Microsoft Vendor
    2024-07-26T14:08:52.7733333+00:00

    Hello Joe Grover

    Thank you for posting in Q&A forum.

    There are two locations we can configure the audit policies:

    Security Settings\Local Policies\Audit Policy

    Security Settings\Advanced Audit Policy Configuration\System Audit Policies

    You have checked the audit policies applying result via the auditpol command:

    auditpol /get /category:* >c:\path\filename.txt

    If this command results in any audit policies, the advanced audit policy settings are configured.

    Because you have configured one advanced audit policy before (Account Management (Security Group Management and User Account Management)), then you need to configure audit account logons and failures via the advanced audit policy.

    Please check if you configured audit account logons and failures via Advanced Audit Policy Configuration.

    Note:

    Once you used the Advanced audit policy in the system, all the legacy audit policy will not be used by this system.

    Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.