We are running Server 2008 Std with two Domain Controllers. We have a GPO for User account logon events set to monitor logon success and failures. I am using events 4624 (success) and 4625(failuer) for tracking however, when I look at the security event log I only see 4625 events. I am not getting any phone calls so I am guessing everyone is able to login and Ican see that they are. The plan was to use this audit feature to track when users initially login. Eventually we want to be able to track user login and logoff. Am I missing something? TIA, JImJim "Nothing is fool proof to a talented fool"

Hi Jim, How do you enable the audit policy on Domain Controller? Please let us know the steps you did. Meanwhile, I suggest running rsop.msc on the Domain Controller to check if the "Success" has been checked in the "Audit logon events" policy.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Bruce-Liu Thanks for the reply. I opened Group Policy > Computer Configuration > WIndows Settings > Security Settings > Local Policies > Audit Policy and changed Audit account logon events to success and failure Audit logon events to success and failure I did run RSPO and it showed these two setting changed. TIA, Jim Jim "Nothing is fool proof to a talented fool"

Hi Jim, How did you enable the audit policy on Domain Controller? Please let us know the steps you did. Meanwhile, I suggest running rsop.msc on the Domain Controller to check if the "Success" has been checked in the "Audit logon events" policy. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Jim, Sorry for the delay. Have you run RSOP.msc on client side to check if the audit policy was applied? Meanwhile, check the event log on another DC.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.