Audit account logon events
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Determines whether to audit each instance of a user logging on or logging off of another computer where this computer was used to validate the account.
For domain controllers, this policy is defined in the Default Domain Controllers Group Policy object (GPO). The default setting is No auditing .
If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when account logon occurs successfully. Failure audits generate an audit entry when an attempted occurrence of the account logon fails. You can select No auditing by defining the policy setting and unchecking Success and Failure .
As an example, if success auditing for account logon events is enabled on a domain controller, then an entry is logged for each user validated against that domain controller even though the user is actually logging on to a workstation that is joined to the domain.
See also Audit logon events .