none
Windows 2012 r2 setting up Audit Policy for Logon Events - failed

    Question

  • Can either of these Windows policies be setup to record failed logon attempts onto one specific server on a domain of about 15 servers.??

    These are the policies, Audit logon events, Audit account logon events.

    Monday, April 24, 2017 2:15 AM

All replies

  • Hi,
    Audit Logon generates events for the creation and destruction of logon sessions.  These events occur on the machine which was accessed.  In the case of an interactive logon, these would be generated on the machine which was logged on to.  In the case of network logon, for example, accessing a share, these events would be generated on the machine hosting the resource that was accessed.
    Audit Account Logon generates events for credential validation. These events occur on the machine which is authoritative for the credentials.  For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.  Since domain accounts are used much more frequently in enterprise environments than local accounts, most of the Account Logon events in a domain environment occur on the domain controllers which are authoritative for the domain accounts. 
    According to your description, you could forward related event logs on different servers into that specific server: https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 27, 2017 9:02 AM
    Moderator
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 5, 2017 7:22 AM
    Moderator