Steps to track logon/logoff events in Active Directory: For local user accounts, these events are generated and stored on the local computer when a local user is authenticated on that computer. Such account logon events are generated and stored on the domain controller, when a domain user account is authenticated on that domain controller. The account logon events on the domain controllers are generated for domain account activities, whereas these events on the local computers are generated for the local user account activities.Īudit Account Logon Events policy defines the auditing of every event generated on a computer, which is used to validate the user attempts to log on to or log off from another computer. Before going to learn how to enable these policies, it is important to know in brief about them.Īudit Logon Events policy defines the auditing of every user attempt to log on to or log off from a computer. It is required to enable these policies manually. “Audit Logon Events” and “Audit Account Logon Events”, meant for monitoring the logon/logoff events, are disabled by default.
The purpose of this post is to define the process to audit the successful or failed logon and logoff attempts in the network using the audit policies.