WinSecWiki > Security Settings > Local Policies > Audit Policy > Account Logon
Audit Account Logon
Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.
The following is an exerpt from my book, The Windows Security Log Revealed :
Microsoft should have named this category Authentication instead of Account Logon to reduce confusion between it and the Logon/Logoff category. On DCs, these events allow you to track all attempts to log on with a domain user account, regardless of where the attempt originates. On a workstation or member server, these events document any attempts to log on by using a local account stored in that computer’s SAM.
For a list of Event IDs generated by this category, see the Security Log Encyclopedia.
Bottom Line
-
Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
-
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Account Logon (Windows Server 2008 and Vista).
Child articles:
Back to top