How to Enable Logon Auditing to Track Logon Activities of Windows Users

Ever wonder if you can track user logon activities in Windows so that you can have a record of who logged in and when they log in? This is perfectly possible in the Windows system using the Logon Auditing feature. Tracking user login and log off activities are very useful in server or organization environments where data is confidential and in situations where you just want to know “who did this” in your Windows system. By default, the Logon Auditing feature is disabled in Windows. In this article, let us see how to enable Logon Auditing and how to see those tracking events on a Windows system.

Note: Logon Auditing is only available in Pro, Ultimate and Enterprise versions of Windows 8.

Logon Auditing is a built-in Windows Group Policy Setting which enables a Windows admin to log and audit each instance of user login and log off activities on a local computer or over a network. Along with log in and log off event tacking, this feature is also capable of tracking any failed attempts to log in. This is particularly helpful in determining and analyzing any attacks on your Windows machine.

To enable Logon Auditing, we need to configure Windows Group Policy settings. Press “Win + R”, type gpedit.msc and press the Enter button to open Windows Group Policy Editor.

enable-logon-auditing-eun-command

Once you are in the Group Policy Editor, navigate to “Computer Configuration -> Windows Settings -> Security Settings -> Local Policies” and then select “Audit Policy” in the left pane.

enable-logon-auditing-audit-policy

The above action will show you some policies on the right pane. Here double click on “Audit logon events” policy to open it. Please don’t confuse “Audit logon events” with “Audit account logon events” as it is a setting for a completely different purpose.

enable-logon-auditing-open-logon-events-policy

Once the Window is opened, select both the check boxes “Success” and “Failure.” Now click on the “Apply” and “Ok” buttons to save the changes.

enable-logon-auditing-select-options

That’s all there is to do. From this point forward, every log in, log off and failed log in attempts will be logged in the Event Viewer as events.

You can view all the log in, log off and failed log in attempt events in the Windows Event Viewer. You can launch the Event Viewer by searching in the start menu. If you are using Windows 8, you can launch the same using the Power User menu (Win + X).

enable-logon-auditing-search-event-viewer

Once you have launched the Event Viewer, navigate to Windows Logs and then to the Security tab.

enable-logon-auditing-security-events

Here you will find all the security related events that happened in your Windows system. If you double click on the keyword “Audit Success,” you will find out the details like the user that has been logged in or logged out, time stamp, etc. As a tip, you can filter down the event logs using “Event ID” or “Task Category.” As you can see from the below image, Logon Auditing also tracks any failed login attempts.

enable-logon-auditing-logon-event-logged

That’s all there is to do, and it is that simple to track user logins in your Windows system.

Hopefully that helps, and do comment below if you face any problems while enabling the Logon Auditing feature in Windows.