How to Monitor User Logоns in a Domain


Native Auditing vs. Netwrix Auditor for Active Directory

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Run gpmc.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
    • Audit Logon → Define → Success And Failures.
  2. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  3. Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
  4. Force the group policy update: In "Group Policy Management" right click on the defined OU → click on "Group Policy Update".
  5. Open Event viewer and search Security log for event id’s 4648 (Audit Logon).

Microsoft Windows Security Event 4648: a logon was attempted using explicit credentials

  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Logon Activity" → Select "Successful Logons" or "Failed Logons" → Click "View".


If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.

Netwrix Auditor Successful Logons by User: shows logons filtered by user name

Netwrix Auditor Failed Logon Attempts: shows failed authentication attempts in Active Directory

Audit Logon Events to Identify Unauthorized Access Attempts

User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. It’s necessary to audit logon events — both successful and failed — to detect intrusion attempts, even if they do not cause any account lockouts.

Netwrix Auditor for Active Directory enables IT pros to get detailed information about every successful and failed logon attempts in their Active Directory. The solution includes comprehensive prebuilt reports that streamline logon monitoring and help IT pros minimize the risk of a security breach. For instance, the Failed Logons report enables IT pros to detect intrusion attempts, and the Successful Logons report helps them spot unusual successful logons, such as a single user simultaneously trying to access multiple resources or users logging outside of normal business hours, that could be attackers using valid credentials they have stolen.