1
00:00:06,980 --> 00:00:14,880
In this demonstration we'll see how to configure authentication related audit policies in server manager.

2
00:00:14,880 --> 00:00:22,000
I'll click tools manual and then click Group Policy Management in group policy management console and

3
00:00:22,000 --> 00:00:31,510
the navigation penile expand forest a datum dot com domains and group also objects and then select the

4
00:00:31,510 --> 00:00:34,130
default domain controller as policy.

5
00:00:34,330 --> 00:00:41,710
The right click the default domain controller as policy and then click added in the Group Policy Management

6
00:00:41,810 --> 00:00:50,820
Editor window in the navigation I'll expand computer configuration policies windows certain security

7
00:00:50,820 --> 00:00:59,380
servants local policies and then click audit policy and in the details pane I'll double click ordered

8
00:00:59,560 --> 00:01:04,660
account log on arounds and then expand the configuration options.

9
00:01:04,670 --> 00:01:11,710
So if you select the defined these policies sentence checkbox the policy is applied.

10
00:01:11,710 --> 00:01:21,010
If you select success only success audits are logged and if you select failure only failure audits are

11
00:01:21,020 --> 00:01:21,940
locked.

12
00:01:21,940 --> 00:01:29,900
I'd like to point out that if multiple policies contains a certain and it is defined differently.

13
00:01:29,920 --> 00:01:38,420
Their success and failure options apply based on the last applied policy that defined low sentence.

14
00:01:38,620 --> 00:01:45,310
If one policy defines success audits and in other defines failure audits.

15
00:01:45,310 --> 00:01:46,900
They do not merge.

16
00:01:46,960 --> 00:01:55,030
Click define these policies sentence select both the success and failure checkboxes and then click Okay.

17
00:01:55,090 --> 00:02:03,490
Now in the details Spain I'll double click audit account log on at once click the explained tab and

18
00:02:03,520 --> 00:02:07,450
you can read the explanation of this policy here.

19
00:02:07,480 --> 00:02:15,310
No I'll click Cancel to closely audit my account log on one's properties dialog box we can repeat the

20
00:02:15,310 --> 00:02:25,200
same steps for audit log on a policy as we did for audit account log on events now in the group Paul

21
00:02:25,210 --> 00:02:29,200
is a management editor a window in the navigation pane.

22
00:02:29,200 --> 00:02:38,170
I'll maybe get to computer configuration policies windows certain security settings advanced audit policy

23
00:02:38,170 --> 00:02:48,190
configuration audit policies and then click audit policies and in the audit policies policy we can find

24
00:02:48,480 --> 00:02:53,310
10 main categories and will double click account log on.

25
00:02:53,350 --> 00:02:58,150
We'll have subcategories here and we'll double click.

26
00:02:58,150 --> 00:03:01,220
Audit Gerber US authentication service.

27
00:03:01,330 --> 00:03:10,330
And as you can see the this subcategory has the same settings as in the audit policy audit account log

28
00:03:10,330 --> 00:03:18,720
on Saddam but they are now on a more detailed level and to allow a more selective audit him.

29
00:03:18,760 --> 00:03:26,920
Now let's select configure the following audit events select success and select failure and then click

30
00:03:26,920 --> 00:03:27,750
apply.

31
00:03:27,760 --> 00:03:32,220
We can also read the explanation in the explain tab here.

32
00:03:32,230 --> 00:03:35,310
Now let's see how to view log on events.

33
00:03:35,440 --> 00:03:44,110
First on Lowndes C1 I'll open command prompt and type GP update slash for and then press enter.

34
00:03:44,110 --> 00:03:51,820
I'll wait until the policy has been updated and then switch to the start screen and click the administrator

35
00:03:51,820 --> 00:03:53,960
icon and then click sign out.

36
00:03:54,070 --> 00:04:02,410
Then I'll try to sign in with another user which is a data and backslash Aden with her own password.

37
00:04:02,410 --> 00:04:04,360
I'll type 1 2 3 4.

38
00:04:04,510 --> 00:04:10,170
I'll get the message that the user name or password is incorrect and click Okay.

39
00:04:10,180 --> 00:04:15,760
Then I'll sign in with Administrator second and turn the server manager.

40
00:04:15,760 --> 00:04:22,990
I'll click tools and then click event viewer and an event for you're in the navigation pane and expand

41
00:04:23,320 --> 00:04:31,240
windows locks and then click security and in the details pane I'll lock key to the event I.D..

42
00:04:31,250 --> 00:04:33,280
4 2 7 7 2 1.

43
00:04:33,580 --> 00:04:36,300
It's an audit failure rewound.

44
00:04:36,400 --> 00:04:37,480
Let's double click.

45
00:04:37,480 --> 00:04:39,790
They went failure ordered failure.

46
00:04:39,790 --> 00:04:40,600
Sorry.

47
00:04:40,660 --> 00:04:48,160
And as we can see that event was locked when Aiden tried to sign in with the wrong password.

48
00:04:48,160 --> 00:04:50,240
Now let's lucky to went I.

49
00:04:50,280 --> 00:04:59,040
Forty seven sixty eight and we can see that it's an ordered success around this event was locked when

50
00:04:59,440 --> 00:05:02,200
administrator assigned in successfully.