Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to monitor computer activity
in Active Directory

Start your free trial

If an admin wants to keep track of the number of hours a computer in their organization was active, keeping track of its startup and shutdown time is pivotal. The computers in an Active Directory (AD) environment can be audited to get this information. Read on to find out how to monitor computer activity with tools native to Windows, or by using ManageEngine's ADAudit Plus.

How to enable computer activity auditing

Perform the following actions on the domain controller (DC):

  1. Press Start, search for, and open the Group Policy Management Console, or run the command gpmc.msc.
How to monitor computer activity in Active Directory
  1. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here. If you have already created a Group Policy Object (GPO), go to step 4.
How to monitor computer activity in Active Directory
  1. Name the GPO as appropriate.
  2. Right-click the GPO and choose Edit.
How to monitor computer activity in Active Directory
  1. In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
How to monitor computer activity in Active Directory
  1. In the right pane, double-click Audit system events, and check the boxes labeled Define these policy settings, Success, and Failure.
How to monitor computer activity in Active Directory
  1. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → System.
How to monitor computer activity in Active Directory
  1. In the right pane, double-click Audit Security State Change, and check the boxes labeled Configure the following audit events, Success, and Failure.
How to monitor computer activity in Active Directory
  1. Click Apply, then OK.
  2. Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
How to monitor computer activity in Active Directory

Steps to view these events using the Event Viewer

Once the steps above are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

  1. Press Start, search for Event Viewer, and click to open it.
  2. In the Event Viewer window, in the left pane, navigate to Windows Logs → Security.
  3. Here, you will find a list of all the security events that are logged in the system.
How to monitor computer activity in Active Directory
  1. In the right pane, under Security, click Filter Current Log.
How to monitor computer activity in Active Directory
  1. In the pop-up window, enter the desired Event ID* in the field labeled <All Event IDs→.

*The following Event IDs are generated for the given events:

Event ID Description
6005 The event log service was started (Computer was started)
6006 The event log service was stopped (Computer was shut down)
  1. Click OK. This will provide a list of occurrences of the entered Event ID.
  2. Double-click the Event ID to view its properties (description).
How to monitor computer activity in Active Directory
How to monitor computer activity in Active Directory

The method above is unrealistic when you have to deal with thousands of computers in an organization, as an administrator would have to manually look up each event to view its details.

Monitoring computer activity the easy way using ADAudit Plus

ADAudit Plus, a comprehensive AD auditing tool, enables admins to effortlessly audit computer start up, shutdown, and every other change made to AD objects and their attributes.

Steps to monitor computer activity using ManageEngine ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the console and log in as an administrator.
  4. Navigate to Reports → Local Logon-Logoff → Computer Startup and Shutdown.
1
 

Shows the exact computer startup and shutdown time, and calculates the total hours it was active.

2
 

The shutdown type shows whether it was caused by abnormal shutdown, restart, or a power off.

How to monitor computer activity in Active Directory

Shows the exact computer startup and shutdown time, and calculates the total hours it was active.
The shutdown type shows whether it was caused by abnormal shutdown, restart, or a power off.

You can also keep track of users logged in to multiple computers. Navigate to Reports → User Logon Reports → Users logged into multiple computers.

1
 

A list of all the computers that a particular user has logged in to, along with logon time and the name of the authorizing DC.

2
 

Sort by logon time to see which computer was logged in last.

How to monitor computer activity in Active Directory

A list of all the computers that a particular user has logged in to, along with logon time and the name of the authorizing DC.
Sort by logon time to see which computer was logged in last.

To find the first and last logon performed on specific computers, navigate to Reports → User Logon Reports → Users First and Last Logon By Computers.

1
 

See which computer was most frequently used and by whom.

How to monitor computer activity in Active Directory

See which computer was most frequently used and by whom.

Advantages of using ADAudit Plus over native auditing:

  • Determine the total number of hours a computer was active between startup or shutdown.
  • View comprehensive reports for all changes made to your Active Directory in one centralized platform.
  • Detect insider threats using user behavior analytics. Get alerts upon encountering an unusually high number of logon attempts, file accesses, account lockouts, or various other signs of compromise.
  • More easily satisfy compliance regulations including SOX, HIPAA, GLBA, PCI-DSS, FISMA, and GDPR.
 

ADAudit Plus Trusted By