Link to home
Start Free TrialLog in
Avatar of crcsupport
crcsupportFlag for United States of America

asked on

Auditing domain account logon attempt, failure, lockout

I have a password policy at on Windows Domain (functional level 2003), account lockout with 10 attempts failure.
Most of time, users type wrong passwords, wrong computer name on remote desktop.
I enabled domain 'Account Logon Event' audit on Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Now on one of the DCs, it generates account logon/off events. But most of them are network logon such as accessing network share and apps.

I like to audit only logon type 2 (interactive logon event with keyboard typing) success or failure.
How can I do that?

Also, after this change, I tried to type wrong password to log onto domain from one of workstations, it doesn't show the logon attempt failure on DC's security event window. Why?
ASKER CERTIFIED SOLUTION
Avatar of crcsupport
crcsupport
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

Logging based on logon type is not available though the filtering in search is supported and more often used. Pls see this advice

https://www.experts-exchange.com/questions/28255914/How-to-log-ONLY-Logon-Type-2-events-Interactive-for-eventID-4624.html?anchorAnswerId=39542299#a39542299


Do ensure the setting is done on the "Default Domain Controller" Policy to apply to the DC's and test out using domain accounts. For the filtered search view, you may consider this search string but it may differ on the event od using Windows 2003 e.g. 528 for successful logon, 539 for user failed to logon.

http://nerdsknowbest.blogspot.sg/2013/03/filter-security-event-logs-by-user-in.html?m=1