Results 1 to 5 of 5
  1. #1
    Join Date
    Apr 2017

    Default Active Directory Login Monitor - Server 2012 R2 and Windows 10

    This took me a long time to figure out, so I hope it helps others.

    According to Untangle's "Active Directory Login Monitor Installation" guide (, only "Audit Kerberos Authentication Service" needs to be enabled in Local Security Policy in order to send login events to Untangle. This did not work for me in my environment. However, when I also enabled "Audit Other Account Logon Events" it works:

    Local Security Policy.PNG

    These events are in the DC's event log (Event Viewer\Windows Logs\Security).
    • Event ID: 4768
    • Task Category: "Kerberos Authentication Service"

    My environment:
    • DC: Microsoft Windows Server 2012 R2 Standard (Version 6.3, Build 9600)
    • Client: Microsoft Windows 10 Pro (Version 1607, Build 14393.1066)

    Note: When a user logs off, it is sent to the API as an "update" action, not a "logout" action. This means that if a local user account logs in afterwards, they will fall under the previous domain user's Untangle policy. Untangle support said this is how it is: "The update event is intended and expected. No logout events."


  2. #2
    Join Date
    Apr 2017


    Great post! Thank you!

  3. #3
    Join Date
    Aug 2009


    Thank you for this information! Do you have any other settings that you applied? My Server 2012 R2 AD still will not pass any login information to Untangle. I have to use the login script. At another client site, information is passed, but it's incorrect.

  4. #4
    Master Untangler
    Join Date
    May 2010


    Sorry to drag up an old thread - ran across this while searching for another item...

    I have two Server 2016 DCs, but I installed the active directory connector on both of them per the guidance Untangle gives for Server 2012 R2 servers ( ). I did not change "Audit Other Account Logon Events". My logon events are all getting relayed to untangle correctly.

    Weird that the OP had to do something different.

    Last edited by JasonJoel; 07-18-2017 at 07:07 PM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Phoenix, AZ


    Group Policy doesn't always work out the way you want. I'll bet he has a conflicting policy somewhere. Auditing Kerberos Authentication Service should be all that's required. However, the directions have you changing a local server policy, and I've never done this because it can be unreliable on domain controllers. I prefer to create a policy linked to the domain controller's OU, and enable the policies there. I'll then filter out DCs I don't want modified if necessary.

    But, Untangle isn't Microsoft. Supporting Microsoft GPOs opens a can of worms that is best solved by MCSEs that know how to do these things. The instructions are a very simple and effective way to make things work, but not necessarily the best.
    Rob Sandling, BS:SWE, MCP
    Phone: 866-794-8879 x201

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2