In this article, we will review how to permit auditing logon events on your Windows endpoints and receive a CSV report on log-on attempts that occurred between two dates.
The report will show the creation time of the event, domain\username, and log-on attempt result. The three logs-on attempt options are Interactive login success, Remote login success, and Login failure.
You can use the following command line for listing auditing policy settings:
auditpol /get /category:*
Also, you can enable the Audit Logon events remotely using this command:
auditpol /set /subcategory:Logon /success:enable /failure:enable
Enabled auditing logs
1. Access your Windows endpoint. Click on WinKey+R on your keyboard. Enter gpedit.msc and click OK.
2. Go to the following path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
3. Double-click on Audit logon events.
4. The window called Audit logon events Properties. Mark the Success and Failure checkboxes and click OK.
Clone Login audit script
1. From Admin (on the side panel), click on Scripts.
The Scripts page appears
2. Go to Shared Script Library, and search for the script named Login Audit (you can use the Script Name box to filter the results)
3. Click on Clone to copy the script to My Scripts.
You will now find the script under 'My Scripts' named 'Login Audit (copy).
4. Run the cloned script on your devices, check out the article Run a Script, to learn more. You will have a new .csv file in the path you chose in $ResultFile as below.