Tracing Account Logon Location

Hi There

I'm having an issue where logon events for certain accounts, functioning as "service accounts" are not registered\recorded in the security event log on Domain Controllers.

When viewing the LastLogon attribute on the user object I can clearly see the time when the account logged onto the specific DC. However when I then go to the security event log and look at the logs for the same time period nothing is recorded. I've even gone so far as to enable debug logging on a DC in an attempt to find the source. To my surprise even though the LastLogon attribute for the object on that DC got updated, it was not picked up in the netlogon.log file.

Has anyone experienced this? Are there some cases where the lastlogon attribute gets updated but not recorded in any logs?

Thanks

March 31st, 2015 12:24pm
Have you turned on audit policy logging - for both success and failure events for your domain controllers? https://technet.microsoft.com/en-us/library/dd941595(v=ws.10).aspx
Free Windows Admin Tool Kit Click here and download it now
March 31st, 2015 1:37pm
Well I'm using advanced audit configuration. And I can see logon events on all Domain controllers, just not for some of the accounts as mentioned above.
March 31st, 2015 2:20pm

It should be recorded in the logs if logging is enabled.

Please make sure that auditing is properly enabled on your DCs. You can see the applied settings using rsop.msc.

See that for the configuration and possible events:
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx

Please note that using a third party tool for auditing would be helpful when auditing similar events. My favorite is Lepide Auditor - Active Directoryhttp://www.lepide.com/lepideauditor/active-directory.html The tool includes logon/logoff reports that should be helpful (You can contact them for an evaluation period).

Free Windows Admin Tool Kit Click here and download it now
March 31st, 2015 2:33pm

Well RSOP does not display Advanced Audit Policy configuration.

Surely if it was configured incorrectly no logon events would have been generated? I've now enabled the setting "Force Audit policy subcategory setting", not that it should make a difference with regards to some logon events logged and others not. ill monitor this and see if it makes a difference.

April 2nd, 2015 3:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics