Trace logon and logoff users in AD
Hello,
I will trace users logon and logoff in my active directory 2003 domain env. What kind of events should I track to have that informations ? (I enabled audit policy on DC) I did small investigate with Google and I would be able to find solution :(. I found
that you can use logon and logoff scripts but this doesn't satisfy me :(. Is possible to track this event with security log ?
I enabled in GPO:
Policy Computer Setting
Source GPO
Audit account logon events Success, Failure
Default Domain Controllers Policy
Audit account management Success
Default Domain Controllers Policy
Audit directory service access Success
Default Domain Controllers Policy
Audit logon events Success, Failure
Default Domain Controllers Policy
Audit object access Success, Failure
Default Domain Controllers Policy
Audit policy change Success
Default Domain Controllers Policy
Audit privilege use Success, Failure
Default Domain Controllers Policy
Audit process tracking No auditing
Default Domain Controllers Policy
Audit system events Success
Default Domain Controllers Policy
Best regards,
Xentri
Xentri
December 16th, 2010 9:53am
Refer to this article about
Windows and Active Directory Auditing.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2010 4:12am
some additional notes:
a) the Account Logon events appear only on DCs, you will need to check this on all DCs
b) there is no real 100% accurrate method how to find out whether the users have logged off
c) the Logon events can be considered rather "session access events" than the "logon/logoff", as the Logon events appear every time the user SESSION is established with the target service and the logoff events again appear when the session is terminated.
This means, several times during the day or even a lot of times during any hour :-)
ondrej.
December 17th, 2010 5:00am
Hello,
Thanks for answers. Ondrej:
ad a ) I know it and I will check on all DC
ad c) I know it and this is problem with 538 event
ad b) What does mean "no real 100%". I trace some logoff and I saw events:
last events 540,565,565,538 with the same Logon ID indicate logoff. ( double occur 565 is point )
Does anyone can confirm this ? Or know any other way how to find out logoff ?
Best regards,
XentriXentri
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2010 8:12am
Hi,
The following article could be helpful for your work:
Tracking Logon and Logoff Activity in Windows 2000
http://technet.microsoft.com/en-us/library/bb742436.aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
December 21st, 2010 12:41am
Thanks for reply
I read this article but I didn't find any better information then event 538 connected with Logon ID.
Anyone has idea ?
Best regards,
XentriXentri
Free Windows Admin Tool Kit Click here and download it now
December 23rd, 2010 11:10am