WinSecWiki > Security Settings > Local Policies > Audit Policy > Account Logon

Audit Account Logon

Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM. 

The following is an exerpt from my book, The Windows Security Log Revealed : 

Microsoft should have named this category Authentication instead of Account Logon to reduce confusion between it and the Logon/Logoff category. On DCs, these events allow you to track all attempts to log on with a domain user account, regardless of where the attempt originates. On a workstation or member server, these events document any attempts to log on by using a local account stored in that computer’s SAM. 

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

• Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
• Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Account Logon (Windows Server 2008 and Vista).

Child articles:

• Credential Validation
• Kerberos Authentication Service
• Kerberos Service Ticket Operations
• Other Account Logon Events

Back to top

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources