Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to find who logged into the computer

Monitoring domain users' logon and logoff can provide the organization with beneficial data about their employees such as attendance, work hours, break time, and more. Another reason why logon time should be monitored is for the security of the organization. System admins can use logon and logoff data to prevent potential insider cyberattacks on the organization by detecting unusual activity, such as prolonged logon during non-business hours, or logon activity when the employee has called in sick.

The following is a comparison between auditing the logon and logoff activities of domain users using native auditing tools and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Download for FREE

Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • Follow steps 1 and 2 given in the native auditing section to turn on Audit Policy and to enable logon-logoff auditing.

  • Login to ADAudit Plus web console as an administrator.

  • Click on the Reports tab. From the Local logon-logoff section in the left pane, select the Logon Activity report.

  • The Logon Activity report in ADAudit Plus shows the logon attempts, along with the username, logon time, name of the workstation, type of logon among other examples. how-to-find-who-logged-in-computer-5
  • Here are some of the limitations to generate a report of logon activity in Active Directory using native auditing methods:

    1. Each domain controller shows a different logon time due to non-replication of data.

    2. It is a complex process to obtain the required data amidst the noise.

    3. It is difficult to generate the report for different time zones and date formats.

  • With ADAudit Plus, it is easy to obtain a report of logon activity in Active Directory in just a few clicks, and it is displayed in a simple and intuitively designed UI.
  • Step 1: Enable Audit Policy

  • Open Server Manager on Windows server.

  • Under the Manage tab, open the Group Policy Management console.

  • Go to Forest -> Domain -> Your Domain -> Domain Controllers.

  • You can either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.

  • In Audit Policy, select 'Audit logon events' and enable 'Success' and 'Failure' auditing.

    how-to-find-who-logged-in-computer-1
  • Step 2: Enable logon-logoff

  • Go back to Computer Configuration. Navigate to Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policy -> Logon/Logoff.

  • Under that, enable Success and Failure auditing for Audit Logon, Audit Logoff, and Audit Special Logon.

  • Open the Group Policy Management console and select the GPO that you have edited or created. Under Security Filtering, add the users whose logons need to be tracked. You can also choose to audit every domain user's logon by selecting All users. To audit a group of domain users, the specific group(s) can be added.

    how-to-find-who-logged-in-computer-2
  • Step 3: Use Active Directory Event Viewer to check the logs

  • Open Event Viewer and navigate to Windows logs -> Security.

  • Look for the event IDs 4624 (Account was logged on), 4634 (Account was logged off), 4647 (user initiated logoff), 4672 (special logon), 4800 (the workstation was locked), and 4801 (workstation was unlocked).

    how-to-find-who-logged-in-computer-3

  • Click Filter Current Log on the right side to filter the logs based on event IDs or the time range for which the information is required.

    how-to-find-who-logged-in-computer-4

Does native auditing become a little too much?

Simplify distribution group auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link