Windows Server 2008 R2 sp1
if i enable auditing for user login/logouts, do i have the option to store such activity on each user's computers or by design the log will be stored on DC servers?
where will audit logs be stored?
August 30th, 2015 11:04am
Hi
Audit Account Logon Events
Microsoft should have named the Audit account logon events policy category Audit authentication events.On DCs, this policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. On a workstation or member server,the policy records any logon attempts that use a local account that is stored in the computer's Security Account Manager (SAM).
The policy has four subcategories:
- Credential Validation
- Kerberos Authentication Service
- Kerberos Service Ticket Operations
- Other Account Logon Events
Logon Events
This audit policy actually controls the Logon/Logoff audit category.The main objective of the Audit logon events policy is to record all attempts to log on to or log off of the local computer by using either a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn't logging on to the DC; the DC is simply authenticating the user.) Still, in such an instance a network logon event (4624) will appear in the DC's security log because the workstation must log on to the DC as the user to apply Group Policy for that user. But to track all domain account authentication, you should use Audit account logon events.
The Audit logon events policy has nine subcategories:
- Logon
- Logoff
- Account Lockout
- IPsec Main Mode
- IPsec Quick Mode
- IPsec Extended Mode
- Special Logon
- Other Logon/Logoff Events
- Network Policy Server
Detailed information check this article
https://www.ultimatewindowssecurity.com/securitylog/resourcekits/book2008/chapter2.aspx
- Proposed as answer by Mary DongMicrosoft contingent staff, Moderator 1 hour 38 minutes ago
- Marked as answer by Reno Mardo 1 hour 16 minutes ago
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 12:06pm
i don't believe it!
"Microsoft doesn't provide subcategory settings in Group Policy. (We can't believe it either!) You can set subcategories only by using a command-line program called Auditpol (Figure 2-3). Auditpol cannot be run on a remote computer. To set the policy on all systems you would need to run a script using that uses this tool."
thanks for the link. it makes sense now.
August 31st, 2015 1:46am
This topic is archived. No further replies will be accepted.
Other recent topics
