Friday, September 9, 2016

Solved: Audit policies don't work on Windows Server 2012 domain controllers

I was working on a case where I needed to track logon events on domain controllers. So check Security event log domain controllers, but there were no Logon/Logoff events there.
So checked Defaul Domain Controllers policy GPO and saw that Logon/Logoff events were enabled for logging:

As it turned out on Windows Server 2008 or later you have to enable Advanced Audit policies. After enabling appropriate policies events started to show up in Security event log on domain controllers:


No comments:

Post a Comment