Overview: In this article, we will review how to permit auditing logon events on your Windows endpoints and receive a CSV report on log on attempts that occurred between two dates.
The report will show the creation time of the event, domain\username and log on attempt result. The three logs on attempt options are: Interactive login success, Remote login success and Login failure.
First, you need to make sure that auditing logon attempts are enabled on the endpoint. If it is, you can skip to Step 4.
The auditing logs can be enabled remotely as shown below or you can proceed to Step 1 to enable them manually.
You can use the following command line for listing auditing policy settings:
auditpol /get /category:*
Also, you can enable the Audit Logon events remotely using this command:
auditpol /set /subcategory:Logon /success:enable /failure:enable
Time estimated to complete this procedure: 5-10 minutes
Step 1: Access your Windows endpoint. Click on WinKey+R on your keyboard. Enter gpedit.msc and click OK.
Step 2: Go to the following path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Step 3: Double-click on Audit logon events
It will open a window called Audit logon events Properties. Mark the Success and Failure checkboxes and click OK.
Step 4: Go to app.atera.com > Admin > Scripts > Shared Script Libary:
Step 5. Search for the script named Login Audit (you can use the Script Name box to filter the results):
Step 6. Click on Clone to copy the script to My Scripts:
You will now find the script under 'My Scripts' named 'Login Audit (copy)':
Step 7: Go to the Agent console > Manage > Run Script and choose the script you cloned at Step 6. You will have a new csv file in the path you chose in $ResultFile as below: