January 27, 2016

How to Monitor User Logоns in a Domain


1.
Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
  • Audit Logon → Define → Success And Failures.
2.
Go to Event Log → Define:
  • Maximum security log size to 4gb
  • Retention method for security log to "Overwrite events as needed".
3.
Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
4.
Force the group policy update: In "Group Policy Management" right click on the defined OU → click on "Group Policy Update".
5.
Open Event viewer and search Security log for event id’s 4648 (Audit Logon).


source: netwrix.com

0 comments:

Post a Comment