Why would a Windows Server still generates 4624 events (An account was successfully logged on) in the Security log even though the Audit Policy's Audit logon events value is set to No auditing.
Asked
Active
Viewed 593 times
1 Answers
0
As far as I know, audit of logon event is enabled by default, if you want to disable it, please use GPMC, and edit your default domain policy.
Under computer settings, security settings local policies, audit policy.
Please refer to this earlier thread having suggested solutions might helps you to resolve this issue: https://social.technet.microsoft.com/Forums/office/en-US/a9370291-0520-484d-a6c3-9a23cdf94023/excessive-4624-and-4634-events?forum=winserverDS
If the problem is caused by a specific terminal server, we can remove it from the domain and rejoin it as a test.
Here are the steps you need to follow in order to successfully track user logon sessions using the event log: https://community.spiceworks.com/how_to/130398-how-to-track-user-logon-session-using-event-log
JhonKnight
- 11
- 1