Setting the Audit Policy

Ensure that the “Audit Policy” (part of the “Group Policy Management” settings) allows successful logons to generate the necessary events in the Windows Security Log of that AD domain controller machine (this is the default Windows setting, but you must explicitly ensure that this setting is correct).

 1. Choose Start > Programs > Administrative Tools > Group Policy Management.

 2. Navigate under Domains to the relevant domain(s).

 3. Expand the navigation tree.

 4. Right-click Default Domain Policy.

 5. Choose the Edit menu item, which will bring up the Group Policy Management Editor.

 6. From the navigation pane on the left of Group Policy Management Editor:

 7. Choose Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings.

 • For Windows Server 2003 or Windows Server 2008 (non-R2), choose Local Policies > Audit Policy. For the two Policy items, Audit Account Logon Events and Audit Logon Events, ensure that the corresponding Policy Setting for each of these either directly or indirectly includes the Success condition. To include the Success condition indirectly, the Policy Setting must be set to Not Defined, indicating that the effective value will be inherited from a higher level domain, and the Policy Setting for that higher level domain must be configured to explicitly include the Success condition.

 • For Windows Server 2008 R2 and Windows 2012, choose Advanced Audit Policy Configuration > Audit Policies > Account Logon. For the two Policy items, Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations, ensure that the corresponding Policy Setting for each of these either directly or indirectly includes the Success condition as described above.

 8. If any Audit Policy item settings have been changed, you should then run “gpupdate /force” to force the new settings to take effect.