Logging all failed authentication attempts against Active Directory

I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests.

When the wrong user or password is used, I do not see audit events on the DC Event Viewer (Windows Logs > Security).

I tested basic scenarios to try & understand what gets audited:

RDP to DC using a valid username but wrong password. No new Audit event. Why?
RDP to DC using a non-existent username. Yes! Audit Failure logged EventID 4625 "Unknown user name or bad password".
RDP to DC using "test" username which exists in AD but account is disabled. No new Audit event. Why?

How can I log all the above events? Ultimately, what I need logged are failed authentication attempts from external app which authenticates against my AD using domain credentials.

Do I need to enable Advanced Auditing?

Is Event Forwarding necessary?

https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

Best Answer

To enable logging of failed attempts, you need to use "Advanced Audit Policy Configuration" in the Group Policy Management Editor to enable audit logging of successful and failed logon attempts.

Go to "Start > Run" and type in gpmc.msc, then click OK.
Right-click on "Default Domain Policy" and select Edit.
Go to "Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff"
Set "Audit Logon" to Success and Failure.
Close Group Policy Management.

This would enable logging of successful and failed logon attempts. If you only want to log failed attempts, simply select Failure only on step 4.

Best Answer

Related Solutions

Active Directory: how to discover failed logins

Security – How to enable Audit Failure logs in Active Directory

Related Topic