Difference between Audit Logon Events and Audit Account Logon Events


OVERVIEW: Audit Logon Events

The Audit logon events policy records all attempts to log on to the local computer, whether by using a domain account or a local account. On DCs, this policy records attempts to access the DC only. The policy does not, for instance, track a user who uses a domain account to log on at a workstation. (In that case, the user isn’t logging on to the DC; the DC is simply authenticating the user.) To track all domain account authentication, you should use Audit account logon events.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers.
  • Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead


OVERVIEW: Audit Account Logon Events

Microsoft should have named the Audit account logon events policy Audit authentication events. On DCs, the policy tracks all attempts to log on with a domain user account, regardless of where the attempt originates. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s SAM.

Bottom Line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
  • Windows Server 2008 and Vista: I don’t recommend managing audit policy at this level because too much noise is generated. Use subcategories instead
Advertisements

3 thoughts on “Difference between Audit Logon Events and Audit Account Logon Events

  1. I’d like to thank you for the efforts you have put in penning this website.
    I am hoping to check out the same high-grade content
    by you in the future as well. In truth, your creative writing abilities has
    motivated me to get my own website now 😉

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s