Problem:
After setting “Success, Failure” for the “Audit account logon events” audit policy (found in Computer Configuration, Windows Settings, Security Settings, Audit Policy), only successful audits are logged in the Security Event Log and not the failure audits.
Cause:
The audit policy was set at the domain level and not the Domain Controller level. Domain Controller level settings override the domain level settings and by default the domain controller settings are set for only success audits.
Resolution:
Set the same Audit policy, but for the GPO at the Domain Controller level. Once configured, you can run gpupdate at the Command Prompt on the Domain Controller so that it goes into effect immediately. |
