Would you like to learn how to configure a group policy to audit the NTLM authentication success and failure? In this tutorial, we will show you how to configure the NTLM authentication audit feature using a GPO.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Tutorial GPO - Audit the NTLM authentication

On the domain controller, open the group policy management tool.

Windows - Group Policy management

Edit the default domain policy.

GPO - Default domain policy

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Security options.

GPO - Default domain - local security options

Edit the configuration item named Network security: Restrict NTLM: Audit Incoming NTLM Traffic.

Enable the options to audit for all accounts.

GPO - Audit Incoming NTLM

Edit the configuration item named Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.

Enable the options to audit all.

GPO - Audit Outgoing NTLM

To save the group policy configuration, you need to close the Group Policy editor.

Edit the default domain controllers policy.

GPO - Default domain controllers policy

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Access the folder named Security options.

GPO - Default domain controllers - Security Options

Edit the configuration item named Network security: Restrict NTLM: Audit NTLM authentication in this domain.

Select the option Enable all.

GPO - Audit NTLM authentication in this domain

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial GPO - Audit NTLM logon events

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

On a remote computer, start an elevated Powershell command-line.

Windows 10 - powershell elevated

Verify the list of NTLM events that will be logged.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

List NTLM logon events.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

List specific NTLM events.

Copy to Clipboard

Get details from the last NTLM event.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

In our example, we configured a GPO to audit NTLM success and failure events.