Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

UDT: User Logins, Event 4768 YES, Event 4769 NO

So everything appears to work, my Event Log Reader creds work, Solarwinds UDT loves my AD controllers, but I get no User Login info.  What is happening?  So I did the UDT Compatibility Checker for Users, (that's all I'm getting from my DC's, no WMI which should be fine).  I query my DC and I get a nice long list in the Live Log for Event 4768.  However, I get no 4769.  There's not enough info other than a 4769 is required and I don't know why?  How do I get 4769 to turn on in AD?  Did I miss something in group policy maybe?  I just can't figure it out and I feel so close to getting this working.  Please help

0 Kudos
3 Replies
Level 9

OK.  I have dug in further and the event 4769 is generated by active directory ONLY in the Advanced Security Audit Account login options and you choose to Audit Kerberos Service Tickets.   This is not on by default!!!  Audit Kerberos Service Ticket Operations

There's no information from SW other than "4769 should be generated to correspond with 4768 within 20 seconds" blah blah blah.  But no, no it should not because AD does not have this option on by default.  I fail to see the purpose of 4769 when 4768 generates a login success and location/IP.  We have AD Audit from ManageEngine and it pulls just fine on 4768.  It is really frustrating having to dig into something that isn't properly documented too.  Please fix your Adminstrator's guide to actually detail the requirements, rather than "it should get 4769" when it isn't a default turned on feature of AD.  For me to turn this on my domain controllers now is going to be a major headache not to mention a massive increase in events. 

0 Kudos

Hi Shawn,

I apologize for the incovenience with the admin guide and will request the update. Thanks for letting us know.



0 Kudos

Hi Peter,

Latest Admin guide does not include details about Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations policies.

Will you please followup with doc rep?

Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon

0 Kudos