crcsupport
asked on
Auditing domain account logon attempt, failure, lockout
I have a password policy at on Windows Domain (functional level 2003), account lockout with 10 attempts failure.
Most of time, users type wrong passwords, wrong computer name on remote desktop.
I enabled domain 'Account Logon Event' audit on Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Now on one of the DCs, it generates account logon/off events. But most of them are network logon such as accessing network share and apps.
I like to audit only logon type 2 (interactive logon event with keyboard typing) success or failure.
How can I do that?
Also, after this change, I tried to type wrong password to log onto domain from one of workstations, it doesn't show the logon attempt failure on DC's security event window. Why?
Most of time, users type wrong passwords, wrong computer name on remote desktop.
I enabled domain 'Account Logon Event' audit on Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Now on one of the DCs, it generates account logon/off events. But most of them are network logon such as accessing network share and apps.
I like to audit only logon type 2 (interactive logon event with keyboard typing) success or failure.
How can I do that?
Also, after this change, I tried to type wrong password to log onto domain from one of workstations, it doesn't show the logon attempt failure on DC's security event window. Why?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://www.experts-exchange.com/questions/28255914/How-to-log-ONLY-Logon-Type-2-events-Interactive-for-eventID-4624.html?anchorAnswerId=39542299#a39542299
Do ensure the setting is done on the "Default Domain Controller" Policy to apply to the DC's and test out using domain accounts. For the filtered search view, you may consider this search string but it may differ on the event od using Windows 2003 e.g. 528 for successful logon, 539 for user failed to logon.
http://nerdsknowbest.blogspot.sg/2013/03/filter-security-event-logs-by-user-in.html?m=1