- Run gpmc.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
- Audit Logon → Define → Success And Failures.
- Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
- Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" → right-click the defined OU → choose Link an Existing GPO → choose the GPO that you created.
- Force the group policy update: In "Group Policy Management" right click on the defined OU → click on "Group Policy Update".
- Open Event viewer and search Security log for event id’s 4648 (Audit Logon).
![Microsoft Windows Security Event 4648: a logon was attempted using explicit credentials](https://img.netwrix.com/howtos/ms_windows_security_event_logon_was_attempted_using_explicit_credentials.png)
- Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Logon Activity" → Select "Successful Logons" or "Failed Logons" → Click "View".
If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.
![Netwrix Auditor Successful Logons by User: shows logons filtered by user name](https://img.netwrix.com/landings/howtofriday/Successful.v002.png)
![Netwrix Auditor Failed Logon Attempts: shows failed authentication attempts in Active Directory](https://img.netwrix.com/landings/howtofriday/Failed.png)