How to Monitor User Logоns in a Domain
Native Auditing vs. Netwrix Auditor for Active Directory
- Run gpmc.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Audit Logon → Define → Success And Failures.
- Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
- Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
- Force the group policy update: In "Group Policy Management" right click on the defined OU → click on "Group Policy Update".
- Open Event viewer and search Security log for event id’s 4648 (Audit Logon).
- Run Netwrix Auditor → Click "Reports" → choose Active Directory → Logon Activity → choose "Successful Logons" or "Failed Logon" → Click "View".
- After that, you will see all successful and failed logons in your domain.
Audit Logon Events to Identify Unauthorized Access Attempts
An unusual flurry of account lockout events can indicate that an attacker is attempting to get inside your environment. However, auditing only account lockouts may not be enough to enable you to detect all attacks. For example, malicious software that randomly picks passwords for nonexistent usernames will not cause account lockouts. User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. We’ll show you how to audit logon events — both successful and failed —to detect intrusion attempts, even if they do not cause any account lockouts.
Logon auditing with Netwrix Auditor for Windows Server enables IT pros to get detailed information about every logon attempt, including the account name and when and where details. The software automatically collects, consolidates and archives event and syslog data, and enables you to generate clear reports so you can audit logon events. For instance, the Successful Logons by User report shows successful logons filtered by user name, and the Failed Logon Attempts report shows unsuccessful authentication attempts in Active Directory, providing easy and effective ways to control user logon activity.