Enable Auditing for "Analyze Logon Duration" Script

One of ControlUp's most popular Script Based Actions is the "Analyze Logon Duration" script. 

In order to make this script work correctly, certain group policies must be put into place to make it fully functional. There are two methods to enable these policies, only one of them must be used. It would not be recommended to set both.

Enable Legacy Auditing Policies

  1. In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Legacy Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
  2. The policy you will be setting can be found in Policies\Windows Settings\Security Settings\Local Policy\Audit Policy
  3. You will set the following policies:
    • Audit logon events: Success
    • Audit process tracking: Success, Failure

Enable Advanced Auditing Policies

  1. In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Advanced Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.
    image001.png

  2. For Advanced Auditing you will actually be enabling multiple policies:
  3. Enable the Advanced Auditing Policies. This can be done by setting the following:
    • Policies\Windows Settings\Security Settings\Local Policies\Security Options
      • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: Enabled
    • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Detailed Tracking
      • Audit Process Creation: Success
      • Audit Process Termination: Success
    • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/Logoff
      • Audit Logon: Success
    • Policies\Administrative Templates\System\Audit Process Creation
      • Include command line in process creation events: Enabled
    • image003.png

Increase the logs required for the analysis

As mentioned at the beginning, some Event logs are small by default (4MBytes) and roll-over very quickly. It is therefore recommended to extend the following logs:

Microsoft-Windows-GroupPolicy/Operational
Microsoft-Windows-PrintService/Operational

Via Group Policy (GPO):

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-GroupPolicy/Operational
Value: Max Size
Type: REG_DWORD
Data:  52428800 (0x03200000)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PrintService/Operational
Value:      Max Size
Type:       REG_DWORD
Data:       52428800 (0x03200000)

Value:      Enable
Type:       REG_DWORD
Data:       1
 image005.png

Or if you prefer to issue the commands in a running computer:

REM Enable Print Service logging, no retention, size 50MB

wevtutil sl Microsoft-Windows-PrintService/Operational /ms:52428800 /rt:false /ab:false /e
REM Enable Group Policy logging, no retention, size 50MB

wevtutil sl Microsoft-Windows-GroupPolicy/Operational /ms:52428800 /rt:false /ab:false /e
Powered by Zendesk