Home
Do you use Group Policy to enable auditing of logon attempts​?
  v2.0 Posted at 25/07/2019 7:48 AM by Tiago Araujo

It is important as a Network Administrator to know when and where failed login attempts are coming from. Through Group Policy you can enable "Audit logon events".​

  1. ​Create a group policy called 'Logon Auditing Policy'
  2. Right click on 'Logon Auditing Policy' and click on Edit to bring up Group Policy Management Editor
  3. Select 'Audit account logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure
  4. Select 'Audit logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure
    failed-login-1.png
    Figure: Select 'Audit logon events'
  5. Select 'Audit: Force audit policy...' from Computer Configuration | Policies | Windows Settings | Local Policies | Security Options and set to Enabled
    failed-login-2.png
    Figure: Select 'Audit: Force audit policy...'
failed-login-3.png
Figure​: Successful and Failed login attempts will now appear in Event Viewer | Security​
Now when you will have access to seeing success/failed login attempts on user accounts, these can then be captured and audited with your own internal process or a third party application such as Whats Up Gold, see: Do you monitor failed login attempts?

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:

    Comments: