Enable Auditing for "Analyze Logon Duration" Script
One of our most popular script actions is the Analyze Logon Duration script.
In order to make this script work correctly, certain group policies must be put into place to make it fully functional. There are two methods to enable these policies, only one of them must be used. It would not be recommended to set both.
Enable Legacy Auditing Policies
- In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Legacy Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
- The policy you will be setting can be found in Policies\Windows Settings\Security Settings\Local Policy\Audit Policy
- You will set the following policies:
- Audit logon events: Success
- Audit process tracking: Success, Failure
Enable Advanced Auditing Policies
- In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Advanced Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
- For Advanced Auditing you will actually be enabling multiple policies:
- Enable the Advanced Auditing Policies. This can be done by setting the following:
Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: Enabled
Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Detailed Tracking
- Audit Process Creation: Success
- Audit Process Termination: Success
Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/Logoff
- Audit Logon: Success
Policies\Administrative Templates\System\Audit Process Creation
- Include command line in process creation events: Enabled
Increase the logs required for the analysis
As mentioned at the beginning, some Event logs are small by default (4MBytes) and roll-over very quickly. It is therefore recommended to extend the following logs:
Via Group Policy (GPO):
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-GroupPolicy/Operational Value: MaxSize Type: REG_DWORD Data: 52428800 (0x03200000) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PrintService/Operational Value: MaxSize Type: REG_DWORD Data: 52428800 (0x03200000) Value: Enabled Type: REG_DWORD Data: 1
Or if you prefer to issue the commands in a running computer:
REM Enable Print Service logging, no retention, size 50MB wevtutil sl Microsoft-Windows-PrintService/Operational /ms:52428800 /rt:false /ab:false /e
REM Enable Group Policy logging, no retention, size 50MB wevtutil sl Microsoft-Windows-GroupPolicy/Operational /ms:52428800 /rt:false /ab:false /e