Auditing Account Logon
How to configure and report account logon auditing.
To review and report user logon events, you must enable Audit Logon Events for PC(s) and Audit Account Logon Events for domain logon. Then set a security log size and retention. Finally, periodically filter the security log and export to Excel for reporting to management.
- Open the Group Policy Management Console on a domain controller.
- Right-click on the domain name and click Create a GPO in this domain and Link it here.
- Type Logon Logoff Auditing and click OK.
- Right-click on the newly created Logon Logoff Auditing policy and click Edit.
- Expand Computer Configuration, and go to the node Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy).
- Double-click on the policy setting Audit account logon events, check Success and Failure audit, and click OK.
- Double-click on the policy setting Audit logon events, check Success and Failure audit, and click OK.
- Remain in Group Policy Managment, right-click on the domain name or OU where you have applied the policy and click on Group Policy Update.
- Next set the security log size and retention, by expanding Computer Configuration\Windows Settings\Security Settings\Event Log\
- Set Retain securiry log to 90 days and Retention method for security log to By days.
- At desired audit schedule open the EventViewer, Right-click on Securiry log and choose Filter Current log...
- These are the logon and logoff Event IDs:
- 4624: An account was successfully logged on
- 4625: An account failed to log on
- 4634: An account was logged off
- 4647: User initiated logoff
- Once the filtering is complete, you can right-click and Save Filtered Log File As… an XML file for opening in Excel as an XML table.
- Then you will have a spreadsheet where you can hide the columns you don’t want and filter through the logon/logoff events.