After setting up Change Auditor or InTrust to collect Logon events, only failed logon events show.
By default the Domain policy only logs failed logon attempts.
To gather all logon attempts you will need to modify the existing domain controller policy to Audit successful and failed logon events.
To do this, apply a new GPO to domain controllers, or edit existing GPO with the following:
Users configuration | Policies | Windows Settings | Audit Policy
Audit logon events
Tick "Define these policy settings", "Success" and "Failure".
This will increase the size of the "Security event log, so it is recommended you also modify the "Event log" policies to create a maximum size so that the event log does not grow too large.
Once this has been applied to Domain Controller, the computer policy will next be applied when the computer account logs onto the Domain (i.e. you will need to restart the Domain Controller to take affect).
Before restarting you can verify these are producing the correct logs by modifying the "Local Security Policy" on a Domain controller, and making the same changes in the "Local Policies".
When you have verified the local security policy produces the correct logon success/failure events in the Security log you can apply the same to the Group Policy.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center