Results 1 to 3 of 3
  1. #1
    Join Date
    Apr 2017

    Default Active Directory Login Monitor - Server 2012 R2 and Windows 10

    This took me a long time to figure out, so I hope it helps others.

    According to Untangle's "Active Directory Login Monitor Installation" guide (, only "Audit Kerberos Authentication Service" needs to be enabled in Local Security Policy in order to send login events to Untangle. This did not work for me in my environment. However, when I also enabled "Audit Other Account Logon Events" it works:

    Local Security Policy.PNG

    These events are in the DC's event log (Event Viewer\Windows Logs\Security).
    • Event ID: 4768
    • Task Category: "Kerberos Authentication Service"

    My environment:
    • DC: Microsoft Windows Server 2012 R2 Standard (Version 6.3, Build 9600)
    • Client: Microsoft Windows 10 Pro (Version 1607, Build 14393.1066)

    Note: When a user logs off, it is sent to the API as an "update" action, not a "logout" action. This means that if a local user account logs in afterwards, they will fall under the previous domain user's Untangle policy. Untangle support said this is how it is: "The update event is intended and expected. No logout events."


  2. #2
    Join Date
    Apr 2017


    Great post! Thank you!

  3. #3
    Join Date
    Aug 2009


    Thank you for this information! Do you have any other settings that you applied? My Server 2012 R2 AD still will not pass any login information to Untangle. I have to use the login script. At another client site, information is passed, but it's incorrect.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2