1
00:00:03,030 --> 00:00:08,340
As with all policy settings, you should define the scope carefully for the GPOs that apply your audit

2
00:00:08,340 --> 00:00:11,490
policies so that the settings affect the correct systems.

3
00:00:12,380 --> 00:00:18,080
For example, if you want to audit attempts by users to connect to remote desktop servers in your enterprise,

4
00:00:18,380 --> 00:00:23,480
you can configure log on event auditing in a GPO that is linked to the view that contains your remote

5
00:00:23,480 --> 00:00:24,470
desktop servers.

6
00:00:25,370 --> 00:00:30,800
However, on the other hand, if you want to audit desktop log ons by users in your human resources

7
00:00:30,800 --> 00:00:36,140
department, you can configure logged on event auditing in a GPO that is linked to the EU that contains

8
00:00:36,140 --> 00:00:38,180
human resources, computer objects.

9
00:00:39,050 --> 00:00:44,450
Remember that a domain user who signs into a client computer or connects to a server will generate a

10
00:00:44,450 --> 00:00:47,540
log on event, not an account log on event on that system.

11
00:00:48,350 --> 00:00:50,600
Only domain controllers generate account.

12
00:00:50,600 --> 00:00:52,490
Log on events for domain users.

13
00:00:53,330 --> 00:00:58,850
Remember that an account log on event occurs on the domain controller that authenticates a domain user

14
00:00:59,030 --> 00:01:01,250
regardless of where that user logs on.

15
00:01:02,060 --> 00:01:04,430
If you want to audit, log on to domain accounts.

16
00:01:04,670 --> 00:01:08,900
You should ensure account log on event auditing to effect all domain controllers.

17
00:01:09,780 --> 00:01:15,360
The default domain controllers GPO that is created when you install your first domain controller is

18
00:01:15,360 --> 00:01:19,380
an ideal GPO in which to configure account logon audit policies.