Hey Looking to get a bit of help here. Assuming I have ACS enabled on our DC (only on our DC) what would be the most correct way to audit users logons to the domain. Right now I am up in the air as to which Audit Policy/Events to target when reporting on the security event log data. As far as I can tell there are 3 options each with their pro's and cons. 4768 - Kerberos Authentication Service 4769 - Kerberos Service Ticket Operations (I find this generates too many events as it also generates when accessing shares) 4624 - Logon Any suggestions?

Good links on security events here. Thats all I have for ya. http://blogs.technet.com/b/kevinholman/archive/2011/08/05/a-list-of-all-possible-security-events-in-the-windows-security-event-log.aspx

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as "Answered" as the previous steps should be helpful for many similar scenarios. In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks,Yog Li -- Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.