How to Monitor User Logons in Active Directory Domain

Authored by: Support.com Tech Pro Team

1. Introduction

How to Monitor User Logons in Active Directory Domain

 

2. Step 1: Create New GPO

Perform the following steps to apply policy:

  1. Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools”, and double-click “Group Policy Management” to access its window.Note: You can also open “Run” dialog box from the start menu, type “GPMC.MSC”, and click “OK” to access Group Policy Management console.
  2. In the “Group Policy Management” window, double-click “Forest” node to select “Domain”. node.
  3. Now, right-click on “Domain”, and select “Create a GPO in this domain, and Link it here”.

3. Step 2: Edit the GPO to Enable Auditing

  1. Right-click on a “Newly Created GPO” and click “Edit”.
  2. Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
Figure 2: Group Policy Management Editor
  1. Expand “Audit Policies” node to access its sub- policies, which represent different event categories.
  2. Select “Audit Logon”.
  3. Double click on “Audit Logon” policy in the right pane to access its properties.
  4. Select “Configure the following audit events” and then select “Success and Failure” check boxes.
  5. Click “Apply and OK”.

4. Step 3: Audit the Security Event Logs

  1. Go to “Start Menu” ➔ ”All Programs” ➔ ”Administrative Tools” ➔ “Event Viewer”
  2. In the left panel, go to Windows Logs” ➔ “Security” to view the security logs
  3. Search for Event ID 4648 to get the particular record.
  4. A dialog box appears confirming that “a logon was attempted using explicit credentials”.