Enable Auditing for "Analyze Logon Duration" Script
    • Dark
      Light
    • PDF

    Enable Auditing for "Analyze Logon Duration" Script

    • Dark
      Light
    • PDF

    Article Summary

    One of our most popular script actions is the Analyze Logon Duration script.

    In order to make this script work correctly, certain group policies must be put into place to make it fully functional. There are two methods to enable these policies, only one of them must be used. It would not be recommended to set both.

    Enable Legacy Auditing Policies

    1. In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Legacy Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
      360002528957mceclip2.png
    2. The policy you will be setting can be found in Policies\Windows Settings\Security Settings\Local Policy\Audit Policy
    3. You will set the following policies:
      • Audit logon events: Success
      • Audit process tracking: Success, Failure
        360002617958mceclip0.png

        360002528937mceclip1.png

    Enable Advanced Auditing Policies

    1. In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Advanced Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
      360003800078image001.png
    2. For Advanced Auditing you will actually be enabling multiple policies:
    3. Enable the Advanced Auditing Policies. This can be done by setting the following:
      • Policies\Windows Settings\Security Settings\Local Policies\Security Options

        • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: Enabled
      • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Detailed Tracking

        • Audit Process Creation: Success
        • Audit Process Termination: Success
      • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/Logoff

        • Audit Logon: Success
      • Policies\Administrative Templates\System\Audit Process Creation

        • Include command line in process creation events: Enabled
      • 360003710777image003.png

    Increase the logs required for the analysis

    As mentioned at the beginning, some Event logs are small by default (4MBytes) and roll-over very quickly. It is therefore recommended to extend the following logs:

    Microsoft-Windows-GroupPolicy/Operational
    Microsoft-Windows-PrintService/Operational

    Via Group Policy (GPO):

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-GroupPolicy/Operational
    Value: MaxSize
    Type: REG_DWORD
    Data:   52428800 (0x03200000)
    
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PrintService/Operational
    Value:          MaxSize
    Type:            REG_DWORD
    Data:            52428800 (0x03200000)
    
    Value:          Enabled
    Type:            REG_DWORD
    Data:            1
    

    360003710797image005.png

    Or if you prefer to issue the commands in a running computer:

    REM Enable Print Service logging, no retention, size 50MB
    
    wevtutil sl Microsoft-Windows-PrintService/Operational /ms:52428800 /rt:false /ab:false /e
    
    REM Enable Group Policy logging, no retention, size 50MB
    
    wevtutil sl Microsoft-Windows-GroupPolicy/Operational /ms:52428800 /rt:false /ab:false /e
    

    Was this article helpful?