Please note, a logon and an Authentication are not the same thing. When a user logs on to a machine for the first time that day, there is a logon event recorded on the machine that they entered their username and password on, and there is a Kerberos authentication event logged on the DC that processed the users authentication to Active Directory.
If you are trying to determine where or when a user logged on to a workstation or member server, you will need to deploy the Workstation Logon Audit Agent as per the following KB article:
For AD Authentication events, AA has a predefined Event Definition: "Kerberos authentication ticket (TGT) was registered". This Event Definition is disabled by default due to the large number of "Kerberos authentication ticket (TGT) was requested" events (event ID 4768) that get logged on the DCs daily. Enabling this Event Description will allow AA to report on when a user authenticated to AD (Event ID 4768(, however the AA database will most likely begin to grow very fast with this Event Description enabled. There is no way to determine how fast or how many more records will be created as each environment is different.
If this Event Description is enabled, it is highly recommended to closely monitor the database size to ensure database growth does not become an issue.
To create Alerts for these events:
To create an Audit Report for these events:
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité