How to Monitor User Logons in Active Directory Domain
Authored by: Support.com Tech Pro Team
1. Introduction
How to Monitor User Logons in Active Directory Domain
2. Step 1: Create New GPO
Perform the following steps to apply policy:
Go to “Start Menu†➔ “All Programs†➔ “Administrative Toolsâ€, and double-click “Group Policy Management†to access its window.Note: You can also open “Run†dialog box from the start menu, type “GPMC.MSCâ€, and click “OK†to access Group Policy Management console.
In the “Group Policy Management†window, double-click “Forest†node to select “Domainâ€. node.
Now, right-click on “Domainâ€, and select “Create a GPO in this domain, and Link it hereâ€.
3. Step 2: Edit the GPO to Enable Auditing
Right-click on a “Newly Created GPO†and click “Editâ€.
Go to “Computer Configuration†➔ “Policies†➔ “Windows Settings†➔ “Security Settings†➔ “Advanced Audit Policy Configuration†➔ “Audit Policiesâ€.
Figure 2: Group Policy Management Editor
Expand “Audit Policies†node to access its sub- policies, which represent different event categories.
Select “Audit Logonâ€.
Double click on “Audit Logon†policy in the right pane to access its properties.
Select “Configure the following audit events†and then select “Success and Failure†check boxes.
Click “Apply and OKâ€.
4. Step 3: Audit the Security Event Logs
Go to “Start Menu†➔ â€All Programs†➔ â€Administrative Tools†➔ “Event Viewerâ€
In the left panel, go to Windows Logs†➔ “Security†to view the security logs
Search for Event ID 4648 to get the particular record.
A dialog box appears confirming that “a logon was attempted using explicit credentialsâ€.