Configure audit settings and items to audit user logons

Email It to Me Print this Page
Question Which group policy settings should be configured to enable logon audit? What computers should be specified in the items list?
Answer If you are only interested in auditing domain logons (both successful and failed) and you have Netwrix Auditor for Active Directory, consider using Logon Activity module.

If you want to audit logons to workstations with local accounts or do not have the Logon Activity module, please read below:

The configuration would depend on if you want to monitor specific logon types (interactive, service, batch etc.) or just want to see the fact that the user had been logged-on.

In the first case (monitor logon types) you should configure the group policy that is linked to Domain Controllers OU and OU that contains all other computers. (By default they are Default Domain Controller Policy and Default Domain Policy) and you should specify all computers and DCs to the Items list.

In the second case (monitoring just fact of logon) you should configure the group policy that is linked to Domain Controllers OU (By default it is Default Domain Controller Policy) and only DCs should be specified in the Items list.

The list of group policy settings that should be configured can be found in the following KB: https://www.netwrix.com/kb/1904
Was this information helpful?