Home > How-to Guides > How to set a group policy to monitor user logons

How to set a group policy to monitor user logons


A group policy can be manually set to monitor user logons, this level of auditing helps in identifying unauthorized logons. You can set and enable a group policy using the steps below.


Domain Controller

  • On the domain controller, run “gpmc.msc” (Group Policy Management)
  • Right-click on the domain, and select “Create a new GPO in this domain and link it here”
  • Give it a descriptive name
  • Under the ‘Scope’ tab of the new group policy, click ‘Add’ under Security Filtering
  • Click on Object Types and enable ‘Computers’ and click OK
  • Type in the name of the Exchange Server and click ‘Check Names’ to resolve it.  Click OK.
  • Click on ‘Authenticated Users’ and click Remove.
  • Right-click on this new policy which appears beneath the domain name, and select ‘Edit’
  • A new window will pop up to edit this group policy.
  • Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff:
  • Double-click on ‘Audit Logon’, check ‘Configure the following audit events:’, and check ‘Failure’.  Click OK
  • Close the window to return back to the Group Policy Management window.
  • Select the Domain, and on the Linked Policy Objects tab, you should see the policies that have been linked. Our newly added policy is already linked, but can be unlinked / re-linked to quickly enable or disable the policy.

Exchange Server

  • On the Exchange Server, check the audit policy
    • auditpol /get /category:*
  • Run ‘gpupdate’ to get the latest policy applied locally
    • gpupdate
  • Can run the auditpol command again to see if the expected policy has been applied.
    • auditpol /get /category:*
  • In the security log, filter on event ID 4625.
  • Generate a logon failure using OWA, and confirm that an event ID 4625 is logged.