Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to audit account logon events in
Active Directory

Start your free trial

The first step in safeguarding your organization's network and resources is monitoring your employees' logon activity. Tracking users' logon patterns can help detect logons occurring at unusual times, logons to unauthorized hosts, and other suspicious activities. It also helps sysadmins detect and respond to sudden spikes in failed logon attempts, as such attempts indicate the possibility of a brute force attack. Read on to see how to enable auditing of account logon events.

Steps to enable account logon events auditing using GPMC:

  1. Press start, search for, and open the Group Policy Management Console or run the command gpmc.msc.
    audit-account-logon-events-01
  2. If you want to audit all the accounts in the domain, right click on the domain name and click on Create a GPO in this domain, and Link it here.
  3. If you want to audit accounts in a specific Organizational Unit (OU), right click on that OU and click on Create a GPO in this domain, and Link it here.
    audit-account-logon-events-02
  4. Name the Group Policy Object (GPO) as appropriate.
  5. Right click on the newly created GPO, and choose Edit.
    audit-account-logon-events-03
  6. In the Group Policy Management Editor, on the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
    audit-account-logon-events-04
  7. In the right pane, you will see a list of policies that are under Audit Policy. Double-click on Audit account logon events and check the boxes labeled Define these policy settings, Success, and Failure.
    audit-account-logon-events-05
  8. Click on Apply and then on OK.
  9. Go back to the Group Policy Management Console, and on the left pane, right click on the OU or domain in which the GPO was linked and click on Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
    audit-account-logon-events-06

Once this policy is enabled, events are logged on Domain Controllers' (DC) security log whenever a logon is validated by the DC.

Find account logon events using Event Viewer

Once the above steps are complete, account logon events get recorded as event logs under various Event IDs. These events can be viewed in the Event Viewer by following the steps below:

  1. Press Start, search for Event Viewer, and click to open it.
  2. In the Event Viewer window, on the left pane, navigate to Windows logSecurity.
  3. Here, you will find a list of all the security events that are logged in the system.
    audit-account-logon-events-07
  4. On the right pane, under security, click on Filter current log.
    audit-account-logon-events-08
  5. In the pop-up window, enter the desired Event ID* in the field labeled <All Event IDs>.

    *The following Event IDs are generated for the given events:

    Event ID Subcategory Event Type Description
    4768 Kerberos Authentication Service Success and Failure A Kerberos authentication ticket (TGT) was requested
    4769 Kerberos Service Ticket Operations Success and Failure A Kerberos service ticket was requested
    4776 Credential Validation Success and Failure The computer attempted to validate the credentials for an account.

    Note: By default, only successful logon attempts are audited. Failed attempts can be audited by enabling it in Advanced Audit Policy Configuration.

  6. Click on OK. This will provide you a list of occurrences of the entered Event ID.
  7. Double-click on the Event ID to view its properties (description).
    audit-account-logon-events-09

As you can see, getting a comprehensive overview of all the logons occurring in your network is impossible using native auditing to keep track of each event as it occurs. An administrator would have to search for the Event ID and view each event's properties. This is highly impractical.

ADAudit Plus monitors user logon activity in real time and provides in-depth reports. You can also get alerts for unusual logon activity and automate a response for them. ADAudit Plus provides all these features and much more to safeguard your Active Directory.

Monitor account logon events using ADAudit Plus

After we enable auditing, as an alternative to using Event Viewer, we can use ADAudit Plus, an AD auditing tool, to monitor logon events in real-time and view informative reports on them.

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your Domain Controller here.

User’s logon failures

 
 

Click on details to open Logon Failure Analyzer for that user. This shows the possible reasons the attempt failed.

 
 

View top logon failures for a custom time period and view events that occur during business or non-business hours.

audit-account-logon-events-10

User’s first and last logon

 
 

View logon activity on business or non-business hours.

 
 

Add trusted users to the "exclude user accounts" list to remove their data from the reports.

audit-account-logon-events-11

Unusual Volume of Logon Failure

 
 

See the unusual time period and associated volume of logons.

 
 

To view more information on each anomalous activity, click on Details.

audit-account-logon-events-12

ADAudit Plus helps monitor and report on users' logon activity with ease.

 

ADAudit Plus Trusted By