none
where will audit logs be stored?

    Question

  • Windows Server 2008 R2 sp1

    if i enable auditing for user login/logouts, do i have the option to store such activity on each user's computers or by design the log will be stored on DC servers?

    Sunday, August 30, 2015 3:00 PM

Answers

  • Hi

    Audit Account Logon Events

     Microsoft should have named the Audit account logon events policy category Audit authentication events.On DCs, this policy tracks all attempts to log on with a domain user account, regardless  of where the attempt originates. On a workstation or member server,the policy records any logon attempts that use a local account that is stored in the computer's Security Account Manager (SAM).   

            The policy has four subcategories:   

      • Credential Validation
      • Kerberos Authentication Service
      • Kerberos Service Ticket Operations
      • Other Account Logon Events

      Logon Events 

      This audit policy actually controls the Logon/Logoff audit category.The main objective of the Audit logon events policy is to record all attempts to log on to or log off of the local computer by using either a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn't logging on to the DC; the DC is simply authenticating the user.) Still, in such an instance a network logon event (4624) will appear in the DC's security log because the workstation must log on to the DC as the user to apply Group Policy for that user. But to track all domain account authentication, you should use Audit account logon events.   

            The Audit logon events policy has nine subcategories:   

    • Logon
    • Logoff
    • Account Lockout
    • IPsec Main Mode
    • IPsec Quick Mode
    • IPsec Extended Mode
    • Special Logon
    • Other Logon/Logoff Events
    • Network Policy Server

    Detailed information check this article

    https://www.ultimatewindowssecurity.com/securitylog/resourcekits/book2008/chapter2.aspx

    Sunday, August 30, 2015 4:03 PM

All replies

  • Hi

    Audit Account Logon Events

     Microsoft should have named the Audit account logon events policy category Audit authentication events.On DCs, this policy tracks all attempts to log on with a domain user account, regardless  of where the attempt originates. On a workstation or member server,the policy records any logon attempts that use a local account that is stored in the computer's Security Account Manager (SAM).   

            The policy has four subcategories:   

      • Credential Validation
      • Kerberos Authentication Service
      • Kerberos Service Ticket Operations
      • Other Account Logon Events

      Logon Events 

      This audit policy actually controls the Logon/Logoff audit category.The main objective of the Audit logon events policy is to record all attempts to log on to or log off of the local computer by using either a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn't logging on to the DC; the DC is simply authenticating the user.) Still, in such an instance a network logon event (4624) will appear in the DC's security log because the workstation must log on to the DC as the user to apply Group Policy for that user. But to track all domain account authentication, you should use Audit account logon events.   

            The Audit logon events policy has nine subcategories:   

    • Logon
    • Logoff
    • Account Lockout
    • IPsec Main Mode
    • IPsec Quick Mode
    • IPsec Extended Mode
    • Special Logon
    • Other Logon/Logoff Events
    • Network Policy Server

    Detailed information check this article

    https://www.ultimatewindowssecurity.com/securitylog/resourcekits/book2008/chapter2.aspx

    Sunday, August 30, 2015 4:03 PM
  • i don't believe it!

    "Microsoft doesn't provide subcategory settings in Group Policy. (We can't believe it either!) You can set subcategories only by using a command-line program called Auditpol (Figure 2-3). Auditpol cannot be run on a remote computer. To set the policy on all systems you would need to run a script using that uses this tool."

    thanks for the link. it makes sense now.

    Monday, August 31, 2015 5:43 AM