Audit logon events

This Page is locked
Modified: 2008/01/13 20:50 by Randy Franklin Smith - Uncategorized
The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.

The events generated by this policy vary according to the version of windows. For more information on this audit policy and the events it generates see these links: Edit

Bottom line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Logon/Logoff (Windows Server 2008 and Vista).


More resources


Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. Terms and conditions.