0

I cant seem to find a log that contains the info I want in AD.

I want to log logon events so I can see each user login and where it came from, similar to the information logged when a user provides a wrong password.

In the end, I want to change the password of a service account, but want to find out where it is being used before I change it.

michael.clyne
  • 91
  • 1
  • 2
  • 7
  • What service account? What application is it tied too? If there;s no interactive logon then I believe it's impossible, unless you write some code directly in to the application. – Samuel Nicholson Jan 23 '15 at 19:15
  • If auditing for logins is enabled you'll get events 4624 at Security log on DC, it doesn't matter what type of logon you use. There's quick guide to help enable auditing for AD https://www.netwrix.com/download/Guides/active_directory_auditing_quick_reference_guide.pdf – Yan Skursky Jan 27 '15 at 10:50

1 Answers1

3

Enable Audit Policy in the DC, and check the security log (vent ID 4624). Be aware your log will fill space really fast.

Auditing can be enabled on the Domain Controller as follows:

  • Log on using an administrator account.
  • Open the Active Directory Users and Computers tool.
  • Right-click the container holding the domain controller and click Properties.
  • Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
  • In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security Settings, and then to Local Policies.
  • Select Audit Policy.
yagmoth555
  • 16,758
  • 4
  • 29
  • 50