WinSecWiki > Security Settings > Local Policies > Audit Policy > Account Logon

Audit Account Logon

Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM. 

The following is an exerpt from my book, The Windows Security Log Revealed 

Microsoft should have named this category Authentication instead of Account Logon to reduce confusion between it and the Logon/Logoff category. On DCs, these events allow you to track all attempts to log on with a domain user account, regardless of where the attempt originates. On a workstation or member server, these events document any attempts to log on by using a local account stored in that computer’s SAM. 

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Account Logon (Windows Server 2008 and Vista).

Child articles:

Back to top

 

Additional Resources