none
Event ID : 4624

    Question

  • Hi, We have the following Advanced Audit policies configured for our domain, but still we dont see the event logs with machine & user logon details. your help is very much appreciated.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/30/2016 10:48:37 PM
    Event ID:      4624
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DC
    Description:
    An account was successfully logged on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Impersonation Level: Delegation

    New Logon:
    Security ID: S-1-5-21-3803837968-1534464277-3267097699-47311
    Account Name: L-3PLHH92$
    Account Domain: CORP
    Logon ID: 0x15B72B10B
    Logon GUID: {07261433-bae2-c8ef-34e8-4aa451c95ab9}

    Process Information:
    Process ID: 0x0
    Process Name: -

    Network Information:
    Workstation Name:
    Source Network Address: 10.20.111.50
    Source Port: 55026

    Detailed Authentication Information:
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0



    Friday, September 30, 2016 5:26 PM

Answers

  • Hi,

    Check if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled. That will enforce the 'advanced' auditing categories.

    Please see the below description of this setting:

    “legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above. Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. Enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) will ensure the legacy audit settings are ignored. In other words, If this option is checked, legacy Audit policies (pre-vista) will not be applied and must be set under Advanced Audit Policy Configuration.”

    Please verify this setting in your environment.

    More article for your reference:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 5, 2016 2:11 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    Please check the below information:

    Event 4624 null sid is the valid event but not the actual user's logon event.

    The reason for the no network information is it is just local system activity.  Windows talking to itself.

    The "anonymous" logon has been part of Windows domains for a long time--in short, it is the permission that allows other computers to find yours in the Network Neighborhood

    Check this article: http://www.morgantechspace.com/2013/10/event-4624-null-sid-repeated-security.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, October 3, 2016 4:26 AM
    Moderator
  • I concur with Alvwan suggestion.

    Moreover, please check this article too which should be worth reading in your situation - https://community.spiceworks.com/how_to/130398-how-to-track-user-logon-sessions-using-event-log

    Monday, October 3, 2016 9:14 AM
  • Guys, Thanks for your reply.

    We have our GPO configured as Computer Configuration, Policies, Windows Settings, Security settings then advanced audit policy configuration Logon/Logoff - Both set for Success.

    But still we dont see an event log with computer name and login id together. 

    Any suggestions ?

    Monday, October 3, 2016 5:54 PM
  • Hi,

    Check if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled. That will enforce the 'advanced' auditing categories.

    Please see the below description of this setting:

    “legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above. Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. Enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) will ensure the legacy audit settings are ignored. In other words, If this option is checked, legacy Audit policies (pre-vista) will not be applied and must be set under Advanced Audit Policy Configuration.”

    Please verify this setting in your environment.

    More article for your reference:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 5, 2016 2:11 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 3:18 AM
    Moderator