We have a primary and secondary domain controller that are not logging user logins or logoffs. There are a few occasional event ID 4624's but they appear to be all for service accounts and not actual end users.
The local security policy's on both controllers list no auditing so I thought for sure that was my issue but come to find out (with a bit of research on this site) local security policy will say that even if it is being overridden by a group policy on a domain controller.
Local Security Policy:
Policy Security Setting Audit account logon events No auditing Audit account management No auditing Audit directory service access No auditing Audit logon events No auditing Audit object access No auditing Audit policy change No auditing Audit privilege use No auditing Audit process tracking No auditing Audit system events No auditing
With this in mind I ran rsop.msc to verify GPO is overriding local audit policies.
RSOP Results:
Policy Computer Setting Source GPO Audit account logon events Success, Failure Default Domain Controllers Policy Audit account management Success, Failure Default Domain Controllers Policy Audit directory service access Success, Failure Default Domain Controllers Policy Audit logon events Success, Failure Default Domain Controllers Policy Audit object access No auditing Default Domain Controllers Policy Audit policy change Success, Failure Default Domain Controllers Policy Audit privilege use Success, Failure Default Domain Controllers Policy Audit process tracking Success, Failure Default Domain Controllers Policy Audit system events Success, Failure Default Domain Controllers PolicySo I am not quite sure where to go from here, even though RSOP says it should be auditing, both controllers are not logging 4624's for end users. Does anybody have any futher trouble shooting they could offer for me to get 4624's logging the way they should be?