SSW Foursquare

Do you use Group Policy to enable auditing of logon attempts​?

Last updated by Warwick Leahy [SSW] 11 months ago.See history

It is important as a Network Administrator to know when and where failed login attempts are coming from. Through Group Policy you can enable "Audit logon events".

  1. Create a group policy called 'Logon Auditing Policy'
  2. Right click on 'Logon Auditing Policy' and click on Edit to bring up Group Policy Management Editor
  3. Select 'Audit account logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure
  4. Select 'Audit logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure

failed login 1
Figure: Select 'Audit logon events'

  1. Select 'Audit: Force audit policy...' from Computer Configuration | Policies | Windows Settings | Local Policies | Security Options and set to Enabled

failed login 2
Figure: Select 'Audit: Force audit policy...'

failed login 3
Figure: Successful and Failed login attempts will now appear in Event Viewer | Security

Now when you will have access to seeing success/failed login attempts on user accounts, these can then be captured and audited with your own internal process or a third party application such as Whats Up Gold, see: Do you monitor failed login attempts?

Steven Andrews
Chris Schultz
Warwick Leahy
Active Directory
We open source.Loving SSW Rules? Star us on GitHub. Star
Stand by... we're migrating this site to TinaCMS