- Run gpmc.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Audit Logon → Define → Success And Failures.
- Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
- Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
- Force the group policy update: In "Group Policy Management" right click on the defined OU → click on "Group Policy Update".
- Open Event viewer and search Security log for event id’s 4648 (Audit Logon).
- Run Netwrix Auditor → Click "Reports" → choose Active Directory → Logon Activity → choose "Successful Logons" or "Failed Logon" → Click "View".
- After that, you will see all successful and failed logons in your domain.
Audit Logon Events to Identify Unauthorized Access Attempts
An unusual flurry of account lockout events can indicate that an attacker is attempting to get inside your environment. However, auditing only account lockouts may not be enough to enable you to detect all attacks. For example, malicious software that randomly picks passwords for nonexistent usernames will not cause account lockouts. User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. It’s necessary to audit logon events — both successful and failed — to detect intrusion attempts, even if they do not cause any account lockouts.
Netwrix Auditor for Windows Server enables IT pros to get detailed information about every successful and failed logon attempt on their Windows servers. The solution includes comprehensive prebuilt reports that streamline logon monitoring and help IT pros minimize the risk of a security breach. For instance, the Failed Logon Attempts report enables IT pros to detect intrusion attempts, and the Successful Logons by User report helps them spot unusual successful logons that could be attackers using valid credentials they have stolen.