OVERVIEW: Audit Logon Events
The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.
Bottom Line
- Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
- Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead
OVERVIEW: Audit Account Logon Events
Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.
Bottom Line
- Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
- Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead
I’d like to thank you for the efforts you have put in penning this website.
I am hoping to check out the same high-grade content
by you in the future as well. In truth, your creative writing abilities has
motivated me to get my own website now 😉
LikeLike
Hey,
Thank you for the article on technet about SCOM Alerts for security event log alerts. great help, thanks
LikeLike
you are more than welcome
LikeLike