Enable Auditing for "Analyze Logon Duration" Script

One of ControlUp's most popular Script Based Actions is the "Analyze Logon Duration" script. 

In order to make this script work correctly, certain group policies must be put into place to make it fully functional. There are two methods to enable these policies, only one of them must be used. It would not be recommended to set both.

Enable Legacy Auditing Policies

1) In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Legacy Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.

2) The policy you will be setting can be found in Policies\Windows Settings\Security Settings\Local Policy\Audit Policy

3) You will set the following policies:

  • Audit logon events: Success
  • Audit process tracking: Success, Failure

 

Enable Advanced Auditing Policies

 

1) In the Group Policy Manager, identify the group policy that you want to edit to apply the requisite auditing policies. For this example, I will create a custom GPO called "Advanced Auditing Policy" to contain these settings. Once the GPO is created, right click and select Edit.

2) For Advanced Auditing you will actually be enabling multiple policies:

3) Enable the Advanced Auditing Policies. This can be done by setting the following:

  • Policies\Windows Settings\Security Settings\Local Policies\Security Options
    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings: Enabled
  • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Detailed Tracking
    • Audit Process Creation: Success
    • Audit Process Termination: Success
  • Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Logon/Logoff
    • Audit Logon: Success
  • Policies\Administrative Templates\System\Audit Process Creation
    • Include command line in process creation events: Enabled

Powered by Zendesk