If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditKerberosAuthenticationService
#Audit logon windows#
Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account LogonĪccountLogon_AuditKerberosAuthenticationService Scope For local accounts, the local computer is authoritative.ĭescription framework properties: Property name For domain accounts, the domain controller is authoritative. Events in this subcategory occur only on the computer that's authoritative for those credentials. This policy setting allows you to audit events generated by validation tests on user account logon credentials. Device/Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.In this article AccountLogon_AuditCredentialValidation Scope Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. Use WMI/ADSI to query each domain controller for logon/logoff events. Please be aware that unauthorized users can change this scripts, due the requirement that the SHARENAME$ will be writeable by users. There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.Īudit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).Īudit "Account Logon" Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only.Ĭreate a logon script on the required domain/OU/user account with the following content:Įcho %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >Ĭreate a logoff script on the required domain/OU/user account with the following content: Tips Option 1Įnable Auditing on the domain level by using Group Policy:Ĭomputer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy The following article will help you to track users logon/logoff.
This article was written by Yuval Sinay, Microsoft MVP.
#Audit logon how to#
This article describes how to track users logon/logoff.Īpplies to: Windows Server 2003 Original KB number: 556015
0 kommentar(er)
