How to enable Active Directory Logon Auditing

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I'm going to show you how you can set up logon auditing for active directory so that you can track successful and failed logon attempts which are then recorded in the security event log within the Event Viewer so to start I'm on my domain controller and then I'm going to open up tools and then Group Policy managements within here we can create a new GPO and call this audits policy and then once we've got our new GPO we can right click and edit and then Under Computer configuration we can go to policies Windows settings security settings and then Advanced audit policy configuration within the advanced audit pausing configuration we can drill down to audit policies and then log on slash log off and then here we've got a handful of options that we can configure the main two that you'll want to do is audit log on and then you'll want to configure the following audit events and then select successful and failure what this will do is whenever a logon event happens so when someone tries to log in and they either successfully log in or they put a incorrect password in or the logon fails it will log an event to the Event Viewer which we can then monitor for at a later date what we also want to do is enable the audit account lockout so if an account gets locked out it will notify Us by logging an event in the Event Viewer that account is locked out or someone is trying to log in with a locked out account and then we can again monitor that for a later date not something to be aware is that these two options or these options in here are logged on the local workstation that the account attempts to log into so if someone tries to log into on a Windows PC these events will get logged in the Event Viewer on that local PC now what we can also do is come to account logon and then enable the credential validation and the care Bros events so this will then also log an event on the domain controller that gets the authentication request so if someone tries to log in and fails it will be logged also on the domain controller that a login attempt has been failed so I will come to the credential validation and then just enable and then set success and failure and then also for the care Bros authentication Service enable success and failure and then again in the service ticket operations will enable success and failure so for the time being that's all we want now you can go through and check these other options out to see if that's something you also want to monitor however for the scope of this guide we'll just focus on audit logon and the user account logout as well as the care brush and credential validation so now we've got our group policy our audit policies we need to apply this as this is an audit one I would recommend just dragging it over your entire domain and linking it at the top of the domain and then right clicking and enforcing it so that if any machines have the inheritance for group policy disabled it will just override and it will get this as well so now we've got this normally you would just leave this and then after a day or two or a couple of hours the clients and service will check in and get the latest update however I'm just going to run GP updates just so I can force this to update quickly so now we've updated the group policy on our domain controller and then I will just come to a Windows 11 client and on my windows 11 clients I will also do a GP update just so it forces the latest policy so we can do some testing now this is updated I will just log off and then we can log back in for a demo so now to actually test this if I log in to my domain account but if I put in a bad password it will say these newer password is incorrect to try again and then if I actually log in it will then go through and then now if we check the Event Viewer in theory those attempts should be logged and then we can see hopefully that we have an audit failure and an audit success so there we go we've got our user account name Danny unknown username or bad password and then we can see our audit failure which we then logged into with the correct username and password so we can see that the event the event ID 4625 has been logged anytime an audit failure occurs so if we wanted to monitor for logon failures we just monitor for this event ID and that will notify us anytime of any login failure now obviously this was on the Windows 11 computer however if I come back to my domain controller and then if I also open up the Event Viewer in the domain controller and then come to Windows logs and then security we should see somewhere along the lines an audit failure which is here now this is for the cabros authentication Service so the camera's pre-authentication failed so all this event is is saying that the user accounts ad backslash Danny has essentially tried to authenticate the authentication has failed and then is logged in on whatever domain controller shares that authentication ticket now if you've got multiple domain controllers these logs aren't synchronized so you might get a failure on one domain controller and not the others because I was the only one domain controller will respond to the cabras ticket so if you wanted to you could set up an event monitor for eventually 4771 and that will just notify you anytime someone fails to log on now that's how you can use Group Policy to monitor for failed logon attempts in active directory

Info

Channel: Danny Moran

Views: 7,558

Rating: undefined out of 5

Keywords: danny moran, how to, step by step, guide, tutorial, audit policies, logon audit, active directory audit

Id: Xo2vo5W6XPY

Channel Id: undefined

Length: 5min 45sec (345 seconds)

Published: Sat Sep 16 2023