Event ID : 4624

-

hi, have following advanced audit policies configured our domain, still dont see event logs machine & user logon details. appreciated.

log name:      security
source:        microsoft-windows-security-auditing
date:          9/30/2016 10:48:37 pm
event id:      4624
task category: logon
level:         information
keywords:      audit success
user:          n/a
computer:      dc
description:
account logged on.

subject:
security id: null sid
account name: -
account domain: -
logon id: 0x0

logon type: 3

impersonation level: delegation

new logon:
security id: s-1-5-21-3803837968-1534464277-3267097699-47311
account name: l-3plhh92$
account domain: corp
logon id: 0x15b72b10b
logon guid: {07261433-bae2-c8ef-34e8-4aa451c95ab9}

process information:
process id: 0x0
process name: -

network information:
workstation name:
source network address: 10.20.111.50
source port: 55026

detailed authentication information:
logon process: kerberos
authentication package: kerberos
transited services: -
package name (ntlm only): -
key length: 0



hi,

check if "force audit policy subcategory settings (windows vista or later) override audit policy category settings" policy setting enabled. enforce 'advanced' auditing categories.

please see below description of setting:

“legacy audit settings can applied windows versions, advanced audit settings can applied windows vista , above, , windows 2008 , above. implementing both legacy , advanced audit policy settings cause unexpected outcomes due conflicts between similar settings in 2 groups of policy settings. enabling audit: force audit policy subcategory settings (windows vista or later) ensure legacy audit settings ignored. in other words, if option checked, legacy audit policies (pre-vista) not applied , must set under advanced audit policy configuration.”

please verify setting in environment.

more article reference:

audit: force audit policy subcategory settings (windows vista or later) override audit policy category settings

https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&mspperror=-2147217396

getting effective audit policy in windows 7 , 2008 r2

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

best regards,

alvin wang

please remember mark replies answers if , unmark them if provide no help.
if have feedback technet subscriber support, contact tnmff@microsoft.com.



Windows Server  >  Group Policy



Comments

Post a Comment

Popular posts from this blog

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authenticati...
Read more

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering ...
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema ...
Read more