April 8, 2021

Domain admins failed logins not loggin

We have 2012 r2 functional domain with audit/failure logging set up. These logs are read by our siem. We recently noticed no failures for some accounts. Upon further testing there are no Audit Failures logged in the DC event viewer for any Domain Admin accounts but thousands for other accounts. This leads me to think this is an exception or filtering on a GPO somewhere and haven’t been able to track anything down yet. Our audit settings are done via GPO on the default domain and default domain controller policies.

It did seem to just be logon failures not logging. We tested locking an account with bad passwords and that worked and logged successfully.

Has anyone come across this before? How would you make an unaudited group if you wanted?

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.