Tutorial GPO - Audit the NTLM authentication [ Step by step ]

Would you like to learn how to configure a group policy to audit the NTLM authentication success and failure? In this tutorial, we will show you how to configure the NTLM authentication audit feature using a GPO.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

Equipment list

This link will also show the software list used to create this tutorial.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial GPO – Audit the NTLM authentication

On the domain controller, open the group policy management tool.

Edit the default domain policy.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Security options.

GPO - Default domain - local security options

Edit the configuration item named Network security: Restrict NTLM: Audit Incoming NTLM Traffic.

Enable the options to audit for all accounts.

Edit the configuration item named Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.

Enable the options to audit all.

To save the group policy configuration, you need to close the Group Policy editor.

Edit the default domain controllers policy.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Security options.

GPO - Default domain controllers - Security Options

Edit the configuration item named Network security: Restrict NTLM: Audit NTLM authentication in this domain.

Select the option Enable all.

GPO - Audit NTLM authentication in this domain

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial GPO – Audit NTLM logon events

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

On a remote computer, start an elevated Powershell command-line.

Verify the list of NTLM events that will be logged.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Id Description
  -- -----------
 100 NTLM authentication failed because the account was a member of the Protected User group....
 101 NTLM authentication failed because access control restrictions are required....
 301 NTLM authentication succeded, but it will fail when Authentication Policy is enforced because access control restrictions are required....
4001 NTLM client blocked: Outgoing NTLM authentication traffic to remote servers that is blocked....
4002 NTLM server blocked: Incoming NTLM traffic to servers that is blocked...
4003 NTLM server blocked in the domain: NTLM authentication in this domain that is blocked...
4010 NTLM Minimum Client Security Block:...
4011 NTLM Minimum Server Security Block:...
4012 NTLM client used the domain password. The attempt to use the DC-generated NTLM secret failed, and fallback to the domain password succeeded....
4013 Attempt to use NTLMv1 failed....
8001 NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked....
8002 NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8003 NTLM server blocked in the domain audit: Audit NTLM authentication in this domain...

List NTLM logon events.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

TimeCreated                      Id LevelDisplayName Message
-----------                      -- ---------------- -------
8/5/2022 3:53:12 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:50:25 AM            8001 Information      NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked....
8/5/2022 3:50:25 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:53 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:52 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:51 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:50 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:49 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:48 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...
8/5/2022 3:29:47 AM            8002 Information      NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked...

List specific NTLM events.

Copy to Clipboard

Get details from the last NTLM event.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

In our example, we configured a GPO to audit NTLM success and failure events.

GPO – Audit the NTLM authentication

GPO – Audit the NTLM authentication

Equipment list

Windows Related Tutorial:

Tutorial GPO – Audit the NTLM authentication

Tutorial GPO – Audit NTLM logon events

Related Posts