You can edit the default domain policy to force domain computers to audit both SUCCESS AND FAILURE “Account Logon Events”, which are AD accounts, as well as “Logon Events”, which are local user accounts.
Local accounts audits are not registered on any DC, only the local computer.
Both of these are found in the same GPO Audit Policy location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Discuss This Question: 2  Replies