To enable collection of event logs on a local machine without GPO, use the following command in an administrator command prompt:
auditpol /set /subcategory:[subcategory] /success:enable /failure:enable
Replace [subcategory] with the subcategories in the following table.
Event IDs | Audit Policy | Subcategory | Additional configuration needed |
---|---|---|---|
4776, 4822, 4823 | Account Logon | Audit Credential Validation | |
4768, 4771, 4824 | Account Logon | Audit Kerberos Authentication Service | DCs only |
4769, 4770, 4821 | Account Logon | Audit Kerberos Service Ticket Operations | DCs only |
4741, 4742, 4743 | Account Management | Audit Computer Account Management | DCs only |
4727, 4728, 4729, 4731, 4732, 4733, 4735, 4737, 4754, 4755, 4756, 4757, 4764, 4799 | Account Management | Audit Security Group Management | |
4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781 | Account Management | Audit User Account Management | |
4662 | DS Access | Audit Directory Service Access | Additional setup for Active Directory Certificate Services (ADCS) events DCs only |
4634, 4647 | Logon/Logoff | Audit Logoff | |
4624, 4625, 4648 | Logon/Logoff | Audit Logon | |
4649, 4778, 4800, 4801, 4802, 4803 | Logon/Logoff | Audit Other Logon/Logoff Events | |
4672 | Logon/Logoff | Audit Special Logon | |
4880, 4881, 4885, 4886, 4887, 4888, 4896, 4898, 4899, 4900 | Object Access | Audit Certification Services | Additional setup for Active Directory Certificate Services (ADCS) events |
5140 | Object Access | Audit File Share | |
4698, 4702 | Object Access | Audit Other Object Access Events | |
4713 | Policy Change | Audit Authentication Policy Change | |
4616 | System | Audit Security State Change | |
1102 | System | Other System Events | Enabled by default |