WinSecWiki > Security Settings > Local Policies > Audit Policy > Audit Logon

Audit Logon

The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.

The following is an exerpt from my book, The Windows Security Log Revealed :

Whether a user logs on by using a local SAM account or a domain account, the Logon/Logoff category records the attempt on the system to which the user tries to log on. When the user logs on to a workstation’s console, the workstation records a Logon/Logoff event. When you access a Windows server on the network, the relevant Logon/Logoff events appear in the server’s Security log. So, although account logon events associated with domain accounts are centralized on DCs, Logon/Logoff events are found on every system in the domain.

Logon/Logoff events aren’t a good option for tracking domain account authentication or for detecting attempts to access computers by using local SAM accounts. However, they do provide some information not available otherwise. First and foremost, Logon/Logoff events on a given system give you a complete record of all attempts to access that computer, regardless of the type of account used. Second, these events reveal the type of logon, which you can’t determine from Account Logon events. Ostensibly, this category should also provide the ability to track the logon session itself, identifying not just the logon event but also the logoff. Unfortunately, the value of logoff events is questionable at best. Logon/Logoff events also provide the IP address of the client computer, which is useful information for NTLM-based logons because NTLM Account Logon events doesn't provide the IP address. Finally, the Logon/Logoff category provides two event IDs specific to Terminal Services activity.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Logon/Logoff (Windows Server 2008 and Vista).

Child articles:

Back to top


Upcoming Webinars
    Additional Resources