how to filter the event viewer security log for failed logon?

Question

how to filter the event viewer security log for failed logon?

hendri yu 66

Dear Expert,

Good Day

I am checking the Windows log - Security in the AD server event viewer. However i don't seem to be able to find any log with failed login. for instance something related to account locked out, etc. Because this log might be required for the audit purpose.

FYI, our AD is running Windows Server 2012 Enterprise.

Thanks
H

1 answer

Your answer

Answer 1

Carl Fan 6,881

Hi H,
If your GPO is setup to audit logon events, you will be able to find
the "login denied" events in the Event logs "Security".
How to Audit Successful Logon/Logoff and Failed Logons in Active Directory
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
Audit logon events
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

hendri yu 66 Reputation points

2021-01-22T02:41:21.89+00:00
Dear Carl,

Good Day

Thanks for some of the information provided. I have further questions:

is the Audit Logon Events has to be combined with the Default Domain Policy or we could just create a new GPO just for this? Currently, we have issue with our Default domain policy ( could not open- possibly corrupted), hence i have been thinking of recreating another "Default Domain Policy" and at the same time put this "Audit Logon Events" in the new GPO. But i am not sure whether recreating new "Default domain policy" will apply to the clients computer or not?

is it the only way of setting up Audit Logon Policy for user domain logons /logoff / locked out etc is using the GPO?

Thanks
H
Carl Fan 6,881 Reputation points

2021-01-22T10:33:46.567+00:00
Hi H,

By default, there is a bare minimum audit policy configured for Active Directory. You will need to modify the default domain controller policy or create a new one. Also audit policy could be linked to the OU you want.

As far as I know, this may be the only method under the system setting. Setup auditing via Domain Group Policy and check security log on your domain controller.
To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

Share via

how to filter the event viewer security log for failed logon?

1 answer

Your answer