Thank you, I just read this article.
My target is to get only interactive logons to domain controller or remote desktop logons to domain controller.
I'm changing default Domain controllers policy.
2 questions:
I read 2 choices:
1)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies
The former is legaly and the latter is granular.
What policy I have to use ? 1 or 2 ?
2) how can receive only logon events about interactive logons and remote desktop logons on domanin controller ?
It's not necessary to trace other AD user logon
so when auditing is enable traces all login/logout events by Advanced Audit Policy Configuration there is no possibility to distinguish interactive logon ? It's right? I have to filter afterwards in event viewer.