SysAdmin MAGAZINE

Secrets of Active
Directory Auditing
 Contents SysAdmin Magazine September 2024

SysAdmin
Magazine Contents

81
3 Active Directory Auditing Guidelines
№ September '24

8 How to Detect Who Deleted a Group Policy Object

SysAdmin Magazine is a free 9 Active Directory Attributes: Last Logon

source of knowledge for IT Pros
who are eager to keep a tight
grip on network security and do
11 How to Get User Logon Session Times from the Event Log
the job faster.

13 How to Guide: How to Monitor User Logоns in a Domain

14 Tool of the Month: Netwrix Auditor for Active Directory

The Sysadmin Magazine team

[email protected]

2
 Contents SysAdmin Magazine September 2024

Active Directory
like logon attempts and directory changes, and identify
security gaps like inactive user and computer accounts.
Using Audit Policy

Auditing
To specify which system events and user activity to track,
However, Active Directory does not audit all security
you use the Audit Policy settings in Active Directory Group
events by default — you must explicitly enable auditing of
Policy. You specify which types of events you want to audit

Guidelines
important events so that they are recorded in the Security
and select the settings for each one. For instance, you can
event log and available for inclusion in audit reports and
log all events when a user account is disabled or a bad
alerts.
password is entered.

This article provides recommendations for setting up

Jeff Melnick Like other Group Policy settings, auditing is configured
IT Security Expert, Blogger auditing in your Active Directory environment, using the
using the Group Policy Management Editor (GPME) tool in
Netwrix Audit Policy Best Practices as a reference.
the Group Policy Management console (GPMC). Note that
audit settings for devices joined to a domain are be default
set at relatively low level, so they should be refined. On
Active Directory provides account management,
domain controllers (DCs), auditing is often more robust,
authentication and authorization services that are critical
for strong access governance. Accordingly, proper Active Getting Started with AD but it still might not be at the level that you need.

Directory auditing is essential for both cybersecurity and

compliance with regulations that require strong access
Auditing To audit Active Directory, you can use either the basic (local)
security audit policy settings or the advanced security audit
management.
Active Directory (AD) auditing is the process of collecting policy settings, which enable more granularity. Microsoft
and analyzing data about your AD objects and Group does not recommend using both, since that can lead to
For example, to promptly detect insider threats,
Policy. Organizations perform AD auditing to proactively “unexpected results in audit reporting.” In most cases,
organizations need to constantly watch for the creation of
improve security, promptly detect and respond to threats, when you turn the advanced auditing on, basic auditing
new accounts and security groups and any modifications
and keep IT operations running smoothly. will be ignored, even if you later turn the advanced auditing
to existing users and groups, since those changes could
off. It is recommended to use Advanced auditing if you are
provide unwarranted access rights that could be misused
not currently performing any auditing.
by account owners or attackers who compromise their
accounts. They also must keep a close eye on user activities

3
 Contents SysAdmin Magazine September 2024

▪ Basic policies can be set by going to Computer policy name. According to Microsoft, the recommended authentication. It should not be confused with Audit logon
Configuration > Policies > Windows Settings > Security maximum log size for modern OS versions is 4Gb, and the events, which defines the auditing of every user attempt to
Settings > Local Policies > Audit Policy. recommended maximum total size for all logs is 16Gb. You log on to or log off from a computer, as explained below.
can view the logs with Event Viewer.
▪ Advanced policy settings can be found under Computer Here are the recommended settings for the advanced
Configuration > Policies > Windows Settings > Advanced Audit account logon events policy:
Audit Policy Configuration > Audit Policies.
▪ Audit Credential Validation: Failure

Which AD Security Log ▪

▪
Audit Kerberos Authentication Service: Success, Failure
Audit Kerberos Service Ticket Operations: Failure
Audit Policy Scope Events to Track ▪ Audit Other Account Logon Events: Success, Failure

You can define auditing policies for both the entire domain The key to effective auditing is knowing which events to Note that logoff events are not tracked on domain controllers
and individual organizational units (OUs). Note that a log. If you track too many events, your logs will be so full of unless you are actually logging into that specific DC.
setting configured at the OU level has higher priority than a noise that they’ll be hard to analyze and they’ll overwrite
domain-level setting and will override it in case of conflicts. themselves quickly. But if you fail to track critical events,
You can check the resulting policies using the auditpol you’ll be unable to detect malicious activity and investigate
command-line utility. security incidents. Here are the recommended events to Audit logon events
track to strike the right balance.
This policy can record all successful and failed attempts
to log on or off a local computer, whether by a domain
Configuring the Security Log Audit account logon events account or a local account. This information is useful for
intruder detection and post-incident forensics. Microsoft
You’ll also need to specify the maximum size and other provides descriptions of the various event IDs that can be
To detect unauthorized attempts to log in to a domain,
properties of the Security log using the Event Logging logged.
it is necessary to audit logon events — both successful
policy settings. To change settings via GPME, navigate to
and failed. Audit account logon events provides a way to
Computer Configuration > Policies > Windows Settings
track authentication events, such as NTLM and Kerberos
> Security Settings > Event Log and double-click the

4
 Contents SysAdmin Magazine September 2024

The minimum recommended advanced settings are:

Directory service access Policy change
▪ Audit Account Lockout: Success, Failure
Monitor this only if you need to see when someone Improper changes to a Group Policy object (GPO) can
▪ Audit Group Membership: Success
accesses an AD object that has its own system access lead to security incidents and violations of data privacy
▪ Audit Logoff: Success, Failure
control list, such as an OU. In that case, it is recommended mandates. To reduce your risk, set up following advanced
▪ Audit Logon: Success, Failure
to configure the following settings: settings:
▪ Audit Special Logon: Success, Failure

Audit Directory Service Access: Success, Failure ▪ Audit Policy Change: Success, Failure
Audit Directory Service Changes: Success, Failure ▪ Audit Authentication Policy Change: Success, Failure
▪ Audit MPSSVC Rule-Level Policy Change: Success,
Account management Failure
▪ Audit Other Policy Change Events: Failure
Carefully monitoring all changes to user accounts helps Object access
minimize the risk of business disruption and system
unavailability. Audit this only if you need to see when someone used
privileges to access, copy, distribute, modify or delete
At a minimum, it is recommended to set the basic Audit files on file servers. Enabling this setting can generate
Directory service access
account Management policy to “Success”. If you are using a large volume of Security log entries, so use it only if
Turn this on only if you want to track each instance of user
Advanced audit policies, use the following settings: you have a specific use for that data. The recommended
privileges being used. Enabling this policy can generate a
advanced settings are:
large volume of entries in your Security logs, so do so
▪ Audit Application Group Management: Success, Failure
only if you have a specific use for that data. To enable this
▪ Audit Computer Account Management: Success Audit Detailed File Share: Failure
policy, configure the following:
▪ Audit Distribution Group Management: Success Audit File Share: Success, Failure
▪ Audit Other Account Management Events: Success Audit Other Object Access Events: Success, Failure
Audit Sensitive Privilege Use: Success, Failure
▪ Audit Security Group Management: Success Audit Removable Storage: Success, Failure
▪ Audit User Account Management: Success, Failure

5
 Contents SysAdmin Magazine September 2024

Process tracking (sometimes called

Detailed tracking)
AD Auditing Best ▪ Privileged AD access — Examine critical objects like
GPOs.
PracticesTop of Form
Available only in advanced audit policy, this setting is ▪ Large groups — Evaluate the access of large groups
focused on process-related audit events, such as process By auditing Active Directory, you can reduce security like Domain Users and Everyone.
creation, process termination, handle duplication and risks by identifying and remediating toxic conditions like
indirect object access. It can be useful for incident deeply nested groups and directly assigned permissions ▪ Privileged user access — Determine which users
investigations, but it can generate a large volume of entries that attackers can exploit to gain access to your network have elevated access, either through membership
in your Security logs, so enable it only if you have a specific resources. The following best practices can help make your in powerful groups like Domain Admins or via more
use for the data. The recommended settings are: AD auditing more effective: indirect methods like nested group membership.

▪ Audit PNP Activity: Success

▪ Audit Process Creation: Success
Get a thorough understanding of Get the right stakeholders involved
your AD environment
Determine which business users understand who should
System Start by getting answers to the following questions: have access to what. For example, the manager of a
particular department is likely to know which IT resources
▪ How many accounts and groups do you have?
It is wise to log all attempts to start, shut down or restart of their team members needs access to in order to do their
▪ What GPOS and other critical Active Directory objects
a computer, as well as all attempts by a process or program jobs, and why permissions have been set up a certain way.
do you have?
to do something that it does not have permissions to do,
▪ Who has permissions to your DCs and OUs?
such as malicious software trying to change settings on
your computer. Recommended advanced settings are:

▪ Audit Security State Change: Success, Failure

Regularly review group membership
Prioritize your efforts
▪ Audit Other System Events: Success, Failure
First, ensure that only the right users are members of
▪ Audit System Integrity: Success, Failure
Three places organizations often begin are: Domain Admins and Enterprise Admins. Strictly limiting
▪ Audit Security System Extension: Success

6
 Contents SysAdmin Magazine September 2024

membership in these groups will reduce the risk that a

rogue admin will abuse their privileged access. Equally Next steps
important, it minimizes the number of accounts that an
adversary could compromise to instantly gain control of
Setting up the correct audit policies is a great start —
the domain.
but it’s only half the battle. You also need to be able to
analyze the data you collect. Unfortunately, modern IT
Second, have business owners validate that the right
environments are so complex and busy that logs often
members are in their groups — and that the group has
become too large to sift through effectively, and the audit FREE GUIDE
access to only the resources that it needs.
log can even overwrite itself. Single-purpose software
tools can help with particular tasks, but a patchwork of
Repeat these reviews on a regular basis.
solutions cannot deliver the comprehensive visibility you
need for data security.
Audit Policy Best
With the Netwrix Active Directory Security Solution, you
Practices
Keep improving your AD auditing can secure your Active Directory from end to end. It will
process enable you to:
Download Now
▪ Uncover security risks in Active Directory and prioritize
Once you implement your top priorities for AD auditing,
your mitigation efforts.
move on to the next areas. For example, once you have
▪ Harden security configurations across your IT
established regular reviews of group membership, start
infrastructure.
auditing changes to AD passwords.
▪ Promptly detect and contain even advanced threats,
such as DCSync , NTDS.dit extraction and Golden Ticket
attacks.
▪ Respond to known threats instantly with automated
alerts options.
▪ Minimize business disruptions with fast Active Directory
recovery.

7
 Contents SysAdmin Magazine September 2024

How to Detect How to detect who deleted

a GPO using native
3. Navigate to the \domainnamesysvoldomainfqdn > right-
click “Policies” folder and select “Properties”.

Who Deleted auditing tools? 4. Select the “Security” tab > “Advanced” button > “Audit-
ing” tab > Click “Add”.

a Group Policy 1. Run GPMC.msc > open “Default Domain Policy” > Com-
puter Configuration > Policies > Windows Settings > Secu-
5. Select Principal: “Everyone”; Select “Type: All”; Select “Ap-

Object
plies to: This folder, subfolders and files”; Select the fol-
rity Settings:
lowing “Advanced Permissions”: Write attributes; Write ex-
▪ Advanced Audit Policy Configuration > Audit Policies > tended attributes; Delete; Delete subfolders and files; Click
Object Access > Audit File System > Define > Success “OK” three times.
and Failures
Jeff Melnick ▪ Advanced Audit Policy Configuration > Audit Policies > 6. To define what group policy was deleted filter Security
IT Security Expert, Blogger Object Access > Audit Handle Manipulation > Define > Event Log for Event ID 4663 (Task Category – “File System”
Success and Failures or “Removable Storage”) and search for “Object Name:”
▪ Local Policies > Audit Policy > Audit directory service ac- string, where you can find the path and GUID of delet-
Group Policy Objects (GPOs) can provide configurations
cess > Define > Success and Failures ed policy and “account name” field contains information
for access to shared resources and devices, enable
▪ Event Log > Define > Maximum security log size to 1gb about who deleted it.
critical functionalities or establish secure environments.
and Retention method for security log to Overwrite
If some of the GPOs are deleted, users may not be able
events as needed.
to access the Internet, modify their data, use peripherals
or even log in to their systems. Deleting GPOs that deal
2. Open ADSI Edit > Connect to Default naming context >
with access control, authentication and other security
DC=domain name > CN=System > right click “CN=Policies”
policies may increase systems’ vulnerability and allow
> Properties > Security (Tab) > Advanced > Auditing (Tab) >
unauthorized access.
Click “Add” > Choose the following settings:

▪ Principal: Everyone; Type: Success; Applies to: This ob-

ject and all descendant objects; Permissions: Delete
group Policy Container objects > Click “OK”.

8
 Contents SysAdmin Magazine September 2024

in replication traffic necessary to keep this attribute in sync

Active Directory Last Logon AD Attribute across a network’s domain controllers would have been over-
whelming, especially at its time of introduction twenty years

Attributes: Last
The Last-Logon attribute contains a Windows FileTime rep-
ago. But this behavior is also the reason that it is necessary
resentation of the last time a domain controller successfully
to be careful when using this attribute to report on stale user
authenticated the user. It is the granddaddy of user logon

Logon
accounts.
metadata, having been around since the first version Active
Directory.
Because Last-Logon is not replicated (domain controllers
don’t exchange this information), attribute values can be in-
Joe Dibley Using the PowerShell command below, you can retrieve the
terpreted only in the context of the domain controller being
Security Researcher at Netwrix last logon time and other user properties on a domain con-
queried. That is, the attribute’s value is not necessarily the
troller:
last time the user logged in, but rather the last time the user
successfully authenticated through the domain controller
Active Directory user objects possess a number of logon
Get-ADUser -Filter * -Properties being checked. Similarly, the attribute having a value is zero
metadata attributes that are valuable for Active Directory au-
lastLogon | Select samaccountname, @ does not necessarily mean that the user has never logged
dit reporting and administration. For example, they are com-
{Name="lastLogon";Expression={[date- in; it may mean that the domain controller that returned the
monly used to identify user accounts that have been inactive
time]::FromFileTime($_.'lastLogon')}} value has never processed a login request from that user.
for a significant period, or as “stale” accounts.

In short, while the Last-Logon attribute can be used for log-

However, each logon metadata attribute has some unique
The Last-Logon attribute is updated every time a domain in-related auditing, accurate reporting will require querying
behaviors that need to be understood. Otherwise, organiza-
controller successfully processes a logon request, so it might every domain controller capable of processing login requests
tions can end up with reports that are confusing at best and
appear that it provides the perfect way to accurately identify to identify the most recently updated value for any specific
inaccurate or otherwise misleading at worst.
stale user accounts. However, there’s a big caveat that needs user account. Alternatively, you can use a third-party report-
to be taken into account. ing solution, as discussed later in this article.
This article explains the behaviors of each Active Directory
user object logon metadata attribute, methods for review-
AD Last-Logon is not a replicated attribute; each domain con-
ing them, and the potential uses and misuses of each.
troller (DCs) maintains its own version of the attribute for
any specific user. This behavior is intentional — the increase

9
 Contents SysAdmin Magazine September 2024

Interval is set to $($lastLogonReplica- In practice, the Last-Logon-Timestamp attribute will simplify

Last-Logon-Timestamp tionInterval) days" login-related auditing and reporting. The only significant po-
} tential issue involves inactive user reporting. When used to
The Last-Logon-Timestamp contains a Windows FileTime
else { identify inactive users, the threshold for staleness needs to
representation of a recent time the user logged on to a do-
Write-Host "ms-DS-Logon-Time-Sync-In- exceed the domain’s ms-DS-Logon-Time-Sync-Interval value
main. This user attribute was introduced with Microsoft Win-
terval is not set and will be treated as by enough time to ensure that replication has been able to
dows Server 2003. Unlike the older Last-Logon attribute, the
14 days" propagate any meaningful updates.
Last-Logon-Timestamp attribute is a replicated attribute; its
value for any specific user is synced to every domain control-
In a domain with the default 14-day maximum update bound-
ler. This is a big improvement over the Last-Logon attribute.
ary, the Last-Logon-Timestamp is updated only when a do-
That means the best way to identify stale user accounts is to
use the Last-Logon-Timestamp, right? Well, using this attri-
main controller successfully processes a logon request and LastLogonDate
the period since the attribute’s last update is greater than
bute comes with its own warning.
somewhere between 9 and 14 days. The variation in that
period is the result of a random percentage that is included Those familiar with PowerShell may recognize LastLogon-
The gotcha with the Last-Logon-Timestamp attribute is that it
in the logic that controls the update frequency. This behav- Date, but you won’t be able to find it anywhere in the Active
is not always updated when a domain controller successfully
ior reflects a compromise between limiting the replication Directory global catalog schema. This is because LastLog-
processes a logon request. Instead, the attribute has a dynam-
traffic necessary to keep this attribute in sync across a net- onDate is actually a locally calculated value that will display
ic update frequency that is limited by the value of the ms-DS-
work’s domain controllers and limiting the likelihood of hav- the replicated value of the Last-Logon-Timestamp attribute
Logon-Time-Sync-Interval attribute, which defaults to NOT SET
ing to replicate a significant number of users who had their in a user-friendly format. Unsurprisingly, LastLogonDate has
and is treated as 14 days. It’s not common for this attribute to
Last-Logon-Timestamp updated at around the same time. all of the benefits and all of the drawbacks of the Last-Log-
have been changed, but if you’re curious, you can easily identi-
on-Timestamp attribute. However, since it does not require
fy its actual value using following PowerShell script:
Here’s a simplified example of the logic that controls the up- conversion from Windows DateTime, it is the best option for
date frequency of the Last-Logon-Timestamp attribute: most user login-related audit reporting.
$lastLogonReplicationInterval = (Get-AD-
Domain).LastLogonReplicationInterval
(Current Datetime – Last-Logon-Time-
if( $lastLogonReplicationInterval )
stamp) ? (ms-DS-Logon-Time-Sync-Inter-
{
val – (Random % * 5 days))
Write-Host "ms-DS-Logon-Time-Sync-

10
 Contents SysAdmin Magazine September 2024

all of these logon and logoff events since each event has a unique ID. However, there’s no way to know how long that user account

How to Get User was logged on. Using a little patience and event log snooping we can.

Logon Session To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other
Logon/Logoff Events. The combination of these three policies get you all of the typical logon/logoff events but also gets the worksta-

Times from the

tion lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.

Event Log
Adam Bertram
IT consultant and Microsoft MVP

If you’re a knowledge worker, to be productive in a work envi-

ronment, you’re probably going to need a user account. And
you’re probably going to need to actually use this user ac-
count to login to your office and mobile devices. If you don’t,
you’re probably not going to be working at that company for
too much longer.

As IT administrators, we see users log on and off all the time.

When Active Directory (AD) auditing is setup properly, each
of these logon and logoff events are recorded in the event
log of where the event happened from. With enough script-
ing kung-fu or specialized software we could, fairly easily, pull

11
 Contents SysAdmin Magazine September 2024

When these policies are enabled in a GPO and applied to a In this instance, you can see that the LABAdministrator
set of computers, a few different event IDs will begin to be account had logged in (ID 4624) on 8/27/2015 at 5:28PM
generated. They are: with a Logon ID of 0x146FF6. I then looked up through the
event log at the subsequent messages until I found a ses-
▪ Logon – 4624 (Security event log)
sion end event (ID 4634) that showed up with the same
▪ Logoff – 4647 (Security event log)
Logon ID at 5:30PM on the same day. Knowing this Logon
▪ Startup – 6005 (System event log)
ID, I was then able to deduce that the LABAdministrator
▪ RDP Session Reconnect – 4778 (Security event log)
account had been logged on for three minutes or so.
▪ RDP Session Disconnect – 4779 (Security event log)
▪ Locked – 4800 (Security event log)
This was just a quick demonstration of actual logon/logoff
▪ Unlocked – 4801 (Security event log)
scenarios. You’ll find that when you review a computer in
the “real world” you can’t always depend on logon/logoff
You’ll notice the startup event. Why that one? The reason is
events if you’d like to find user session durations. Multiple
because what if the computer’s power plug is pulled while
scenarios may come into play such as when a user locks
a user is logged in? How will we know when that is. It’s not
her computer and comes back to unlock it. Perhaps she
a perfect metric but it’s the only date/time we have to show
may lock her computer and the power gets cut. There will
when that happened.
be no unlock event; only a startup event. These are the
gotchas you need to watch out for to be able to accurately
Once we’ve got all of the IDs put together, we’ll then need
calculate user session history.
to match the session start event with the very next session
end event. But what if there are multiple users logging into
a computer? To differentiate we can use the Logon ID field.
This is a unique field for each logon session. If we can find
a session start time and then look up through the event
log for the next session stop time with the same Logon ID
we’ve found that user’s total session time.

12
 Contents SysAdmin Magazine September 2024

How-to for IT Pro 4. Link the new GPO to OU with Computer Accounts: Go to "Group Policy Management" > right-click the defined OU > choose
Link an Existing GPO > choose the GPO that you created.

HOW TO MONITOR USER LOGОNS IN A DOMAIN

5. Open Event viewer and search Security log for event id’s 4648 (Audit Logon).

1. Run gpmc.msc > Create a new GPO > Edit it: Go to "Com-
puter Configuration" > Policies > Windows Settings >
Security Settings > Advanced Audit Policy Configuration
>Audit Policies > Logon/Logoff:

▪ Audit Logon > Define > Success And Failures.

2. Go to Event Log > Define:

▪ Maximum security log size to 4gb

▪ Retention method for security log to "Overwrite
events as needed".

3. Link the new GPO to OU with Computer Accounts: Go

to "Group Policy Management" > right-click the defined
OU > choose Link an Existing GPO > choose the GPO
that you created.

13
 Contents SysAdmin Magazine September 2024

ц Leverage Active Directory auditing with Netwrix Auditor Detect security incidents with continuous
to maintain security and prove compliance Active Directory change auditing and alerting
TOOL OF THE MONTH Answers to many crucial questions are buried deep in
your Active Directory change logs. Who deleted an ac-
count? Who added an account to a Domain Admins
group? Who reset a user’s password? You need detailed
answers to these questions ASAP. Most legacy audit tools
can’t help you get them. Netwrix Auditor can.

Netwrix Auditor Troubleshoot unwanted changes with detailed Microsoft

for Active Active Directory reporting

Directory Investigate insider threats with a complete audit trail

for Active Directory
Schedule One-to-One Demo

14
 Contents SysAdmin Magazine September 2024

[On-Demand Webinar]

Fortifying On-Premises
Join us as we delve into the critical challenges of protecting Active Directory (AD) environments
from identity-based threats. As cybercriminals increasingly target identities and systems, it's

Identity Systems:
essential for organizations to adapt by enhancing their detection, response, and mitigation
strategies in real time. Protecting your key on-premises identity infrastructure — Active

Active Directory Threat

Directory — is crucial because it remains the backbone of many organizations' access control
and authentication processes. When Active Directory is not secure, nothing is. This session
will provide you with the knowledge and tools needed to strengthen your AD security posture,

Prevention, Detection ensuring your organization is prepared to combat the ever-evolving identity threat landscape.

& Response ▪ Understand the key risks and vulnerabilities specific to AD attacks.
▪ Discover best practices for reducing your identity attack surface and remediating
misconfigurations.
▪ Learn how to implement real-time detection and response strategies to safeguard your on-
Adam Laub premises identity infrastructure.
General Manager ▪ Explore the latest technologies and techniques to prevent credential theft and privilege
abuse within your AD environment.

Kevin Joyce
Senior Technical Product Manager at Netwrix
Regester Now

15
 About Netwrix
What did you think
of this issue?
Netwrix champions cybersecurity to ensure a brighter digital future for any organization. Netwrix's
innovative solutions safeguard data, identities, and infrastructure reducing both the risk and impact
of a breach for more than 13,500 organizations across 100+ countries. Netwrix empowers security
professionals to face digital threats with confidence by enabling them to identify and protect sensitive
data as well as to detect, respond to, and recover from attacks.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW