none
How do I enable "Audit user account logons" using PowerShell, to improve security? RRS feed

  • Question

  • With successful hacking attacks more often employing valid Active Directory user credentials, it is quite helpful when administrators can easily poll user logon events. Rather than query every domain computer for its logon events, one can alter the Default Domain Controller Policy GPO to enable "Audit user account logons" (Success and Failure) then merely poll only the domain controller -- quite efficient. PowerShell helpfully has the Group Policy Module.

    Get-GPO "Default Domain Controllers Policy" will retrieve the top-level GPO object, but how do I enable that specific setting?

    Set-GPRegistryValue might be the right tool, but I cannot find any documentation on the values I need to supply to its parameters, -Name -Key -ValueName -Type -Value to enable "Audit user account logons" -- both Successes and Failures.

    One can manually modify this setting using the Group Policy Management console GUI on the domain controller, but I am trying to upgrade my professional work habits to use stored scripts, rather than unrecorded point & clicks, so that my actions are repeatable and documented.

    Any pointers to documentation or an example would be welcome.


    Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

    Monday, January 19, 2015 10:18 PM

Answers

  • Unless I am missing something (I am not a Group Policy expert), you cannot enable the setting you want by using the Group Policy PowerShell cmdlets.

    Even though your question involves PowerShell, it is not a scripting question, but a specific question about Group Policy. Please ask your question in the Group Policy forum.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 20, 2015 5:52 PM
    Moderator

All replies

  • We do this with Group Policy.  Post in the GP forum for instructions.


    ¯\_(ツ)_/¯

    Tuesday, January 20, 2015 12:14 AM
  • Dear JRV:

    Scrolling to the top of the Script Center website and clicking on Forums, I do not see one listed for Group Policy. Can you provide a weblink to the Forum where you recommend I post my questions?

    Thanks.


    Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

    Tuesday, January 20, 2015 3:48 AM
  • You can find this very easily by searching for 'group policy forum':

    http://www.bing.com/search?q=group+policy+forum

    It is not difficult to find information using search engines, if you put forth a bit of effort.

    (Don't be helpless: You can find information too, if you try.)


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 20, 2015 4:04 AM
    Moderator
  • Group Policy


    ¯\_(ツ)_/¯

    Tuesday, January 20, 2015 5:18 AM
  • Dear Moderator:

    I have posted this question on TechNet's Group Policy Forum, too. I can indeed use Bing or Google to bring up many sites & Forums, I just wanted to know which one the experienced poster [JRV] recommended as the best place to post the question, based on their experience with that board's knowledgeable viewers. It is a valuable service when a colleague can point you to a particularly advanced source of information for your topic, and I appreciate him taking the time to do so.

    Previously, I spent over an hour manually searching the Windows Registry of a domain controller, then searched the PowerShell Forum for postings on Group Policy, reviewing the 300+ hits it returned, but none covered "Audit user account logons." So when someone replies where its Registry settings are located, this posting will fill that gap, allowing people to enable that setting using PowerShell, improving the security of their networks.


    Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

    Tuesday, January 20, 2015 2:13 PM
  • You may have to contact a consultant to help you with this.  The GP instructions are all available. Just edit the auditing policy in GP.  Contact your admin, vendor or consultanat to set GP for you.

    Searching with goole I found the docs in the first try at the top of the first page: http://technet.microsoft.com/en-us/library/cc778162(v=ws.10).aspx


    ¯\_(ツ)_/¯

    Tuesday, January 20, 2015 4:16 PM
  • The following search may be instructive:

    http://www.bing.com/search?q=manage+group+policy+powershell

    Right at the top of the list of results is the following documentation link:

    Group Policy Cmdlets in Windows PowerShell

    The documentation lists precisely what the GPO PowerShell cmdlets can do.

    By reading the list of what the cmdlets can do, you can make some educated guesses about what the cmdlets cannot do.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 20, 2015 4:31 PM
    Moderator
  • I am quiet familiar with enabling settings by manually using the Group Policy Management Console, understand what the "Audit user account logon" setting does, and have scripts that pull its recorded Audit Events from the Security log to reports.

    What I hope to do with this posting is learn how to have a PowerShell script enable the "Audit user account logons" settings, rather than rely on administrators manually opening the Group Policy Management console and knowing where to perform the appropriate point & clicks. The script would avoid human error and the script's contents provides documentation for exactly what actions were performed, leaving an audit trail. The script would also have credentials to poll only the domain controller, rather than have rights to poll each domain computer's logs. Using PowerShell is more reliable, more secure, thus I want to learn how to do this audit task, and hope this posting helps other administrators switch from manual point & click to PowerShell, too.

    The PowerShell cmdlet Set-GPRegistryValue can change that Audit setting in the "Default Domain Controllers Policy" if I can supply the cmdlet's parameters with the Windows Registry path, Registry Key Name, Registry Key Type, and Registry Value for the "Audit user account logons" setting.

    I have manually searched the Windows Registry hives on the domain controller to discover that Registry key, searched the postings on the TechNet Group Policy and PowerShell Forums, and Googled "Audit user account logons." In every case, the posts use the Group Policy Management console to show how to manually enable that audit setting; alas, they do not provide any example using the PowerShell Group Policy Module cmdlets to enable that Audit setting, nor do they specify the Windows Registry location where that Audit setting is stored, which would allow one to pass that Registry hive to the Set-GPRegistryValue cmdlet's parameters.


    Jeffrey - New Orleans MCITP Enterprise Administrator, Virtualization Administrator

    Tuesday, January 20, 2015 5:44 PM
  • Unless I am missing something (I am not a Group Policy expert), you cannot enable the setting you want by using the Group Policy PowerShell cmdlets.

    Even though your question involves PowerShell, it is not a scripting question, but a specific question about Group Policy. Please ask your question in the Group Policy forum.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, January 20, 2015 5:52 PM
    Moderator