audit logs server 2008

amanzoor used Ask the Experts™
Hi, I have made a GPO to fetch logs (audit account logon event, audit logon events success, failure) under computer config, policies, windows settings, security settings, local policies, and connected this GPO to the default domain controllers OU on the AD, all DC are running server 2008 ent edition.  After this I have enforced the policy to download, checked via gpresult /r, and can see the policy name.  Now when I want to check these logs from computer, manage, diagnonstics, windows logs, security the logs are not there, even though many people have logged on and off.  What am I missing?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Do not confuse account logon with logon events.

Account logon occurs at the DC. Logon occurs specifically on the machine.

I hope this helps.
amanzoorNetwork infrastructure Admin


Thanks, still need help.
Basically I would like to start seeing (who is logged on and off, Account logons) from any client computer on the domain, considering the above audits have already been applied to my DCs, where I would go to check on who is actually logged on and off (account logons), which category under the DC I would check it, is there any other thing I need to enable? security events are not showing me any domain logons? with users credentials (domain\username)?
Rich RumbleSecurity Samurai
Top Expert 2006
Account logon's are logged by default, depending on what OS is being auditied the logon event and type can vary. Logoff is a very tough animal to keep track of, logoffs are reported far less often than the logons. You should check each computers security policy settings
(as administrator run cmd.exe)
auditpol /get /subcategory:"Logoff,Logon"

Output looks like this:

System audit policy
Category/Subcategory                      Setting
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
Distinguished Expert 2017
your GPO only applies to the default domain controller OU meaning if a users logs into one of the DCs you will have the events.
As motnahap0 pointed out.

You can use a set of basic logon scripts that you will apply to the users.
@echo off
echo "on %date% %time%  user %username% loged into %computername% %sessiontype% using %logonserver% to authenticate" >> \\shareserver\sharename\login_logout.txt

@echo off
echo "on %date% %time%  user %username% loged out from %computername% " >> \\shareserver\sharename\login_logout.txt

the txt file has to be writeable by all authenticated users.

You could use other means and record the same data into a database.

The other option is to create an Auditing GPO that is applied to all systems or workstations to which users login.
You would then use the windows 2008 event forwarding feature where by events from all systems are forwarded to a central event repository

using splunk or similar tools you can then have access to the data.
There are many events that could be added when auditing is enabled and are not limited to a single login/logout event. There are file access, resource requests depending on what events you are interested in.
You should give a look at UserLock, as this 3rd-party sofware solution allows (among other features) real time session monitoring; at all times you know the number of concurrent logins, who is connected, from which workstation and since when.
It also sends popup or email alerts to the network administrators for specific events such as denied logins, successful logins and logoffs.

UserLock also records all session logging and locking events in an ODBC database (Access, SQL Server ...) for reporting. Reports can automatically be generated at regular intervals.

Detailed info and free fully-functional trial:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial