An unusual flurry of account lockout events can indicate that an attacker is attempting to get inside your environment. However, auditing only account lockouts may not be enough to enable you to detect all attacks. For example, malicious software that randomly picks passwords for nonexistent usernames will not cause account lockouts. User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. It’s necessary to audit logon events — both successful and failed — to detect intrusion attempts, even if they do not cause any account lockouts.
Native Auditing
1. Run gpedit.msc → Create a new GPO → Edit it: Go to “Computer Configuration” → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Audit Logon → Define → Success And Failures.
2. Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to “Overwrite events as needed”.
3. Link the new GPO to OU with Computer Accounts: Go to “Group Policy Management” → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
4. Force the group policy update: In “Group Policy Management” right click the defined OU → click “Group Policy Update”.
5. Open Event Viewer and search Security log for event id’s 4648 (Audit Logon).
