Using Windows Server 2008 R2 Group Policy to enable Auditing User Accounts

Is very important consider authentication in a Windows Security Audit. Collecting data generated by user activity for analizing the security of information, verifing system integrity, and detecting sings of suspicius behivior are really important for all Network System Administrators today. You can monitor and audit log files using Event Viewer, but before you need activate some rules in the Group Policy. Follow the below step for configure this policy :

1. Click Start, in the "Search programs and files..." type "gpedit.msc"
2. In "Local Group Policy Editor" window, locate Computer Configuration.
3. Click to expand Windows Settings > Security Settings > Advance Audit Policy > Sistem Audit Policies.
4. Click to select Account Management.
5. In the right panel, right click in "Audit User Account Management", then click in Properties.
6. In the "Audit User Account Management Properties" window, click to check "Configure the following audit events", and then click to check "Success" and "Failure" events.

When you configure this Policy and audit event is generate when an attempt to change a user account is made. You can see it in Event Viewer > Security. e.g <A user account is created, changed, deleted, remove, disable, enable, locked out, etc.

Also you can audit evenst generated by user account successful logon attempts, failed logon attemps, and closing of a logon session. For this continue reading below:

Steps 1 to 3 are the same steps described above.

      4.  Click to select "Logon/Logoff".
      5.  In the right panel, right click in "Audit Logoff" policy, then click in Properties.
      6.  In the "Audit User Account Management Properties" window, click to check "Configure  
           the following audit events", and then click to check "Success" and "Failure" events.

Repeat steps 5 and 6 for "Audit Logon" policy.

Now in Event Viewer > Security do you have a report about who is logon and logoff.