1

I recently discovered that all of our Domain controllers are no longer logging AD account logon events (Outlook Web App login - SharePoint Login) to the Security Log. But it works for RDP.

How could I track ALL user logon activity in domain controller?

Amin Mirzanejad
  • 43
  • 4
  • domain auditing is disabled by default and needs to be enabled – djdomi Jun 29 '22 at 16:35
  • What type of event ids are the domain controllers logging for RDP logons? – Lucky Luke Jun 29 '22 at 21:12
  • @djdomi: I think domain auditing is NOT disabled because DC are logging other services authentication (for example VPN-other web applications) the problem is about Exchange and SharePoint authentication. – Amin Mirzanejad Jun 30 '22 at 05:08

2 Answers2

1

You need to check if the audit log is disabled. You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Audit logon events (Windows 10) - Windows security | Microsoft Docs

You could also try turning off credential validation and turn on account logon events.

Aaron
  • 404
  • 1
  • 4
  • what do you mean? audit log in domain controller is enabled (I am sure). do you mean I should enable It in the Exchange server? – Amin Mirzanejad Jun 30 '22 at 05:11
0

Sorry for that. Based on my research DC wouldn’t record the OWA login events in the event viewer.

But you can review it by checking the IIS logs under the path: C:\inetpub\logs\LogFiles\W3SVC1. Open the log via Excel and use the filter to get OWA login events.

You could also use the tool to check owa login event. Log Parser Studio 2.0 is now available - Microsoft Tech Community

Aaron
  • 404
  • 1
  • 4