Here is quick How-to setup monitoring of user logons in a domain on Windows Server 2012 R2. You ask, why it is so important. It is very important as it can give you indication if something is going on with the user logins on your domain. Continuous monitoring of both failed and successful logon attempts can help detect the brute-force attack even if it doesn’t cause any account lockouts.
Step # 1:
Run gpedit.msc → Create a new GPO → Edit it: Go to “Computer Configuration” → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Audit Logon → Define → Success And Failures.
Step # 2:
Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to “Overwrite events as needed”.
Step # 3:
Link the new GPO to OU with Computer Accounts: Go to “Group Policy Management” → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
Step # 4:
Force the group policy update: In “Group Policy Management” right click on the defined OU → click on “Group Policy Update”.
Step # 5:
Open Event viewer and search Security log for event id’s 4648 (Audit Logon).
You are done now and now you have setup monitoring for user logons on your Windows Server 2012 R2 domain. If you want quick search in logs you can setup quick one line with PowerShellto pull for you the events in last 24 hours or you can setup Log view for this specific event – there are many ways how to get easy view of this on your server.