Direct Inward Dialing: +1 408 916 9892
The first step in tracking logon and logoff events is to enable auditing. You can tell Windows the specific set of changes you want to monitor so that only these events are recorded in the security log.
By default, Windows updates Group Policy every 90 minutes; if you want the changes to be reflected immediately, you can force a background update of all Group Policy settings by executing the following command in the Windows Command Prompt:
gpupdate /forceNow, when any user logs on or off, the information will be recorded as an event in the Windows security log.
To view the events, open Event Viewer and navigate to Windows Logs > Security. Here you'll find details of all events that you've enabled auditing for. You can define the size of the security log here, as well as choose to overwrite older events so that recent events are recorded when the log is full.
This event records every successful attempt to log on to the local computer. It includes critical information about the logon type (e.g. interactive, batch, network, or service), SID, username, network information, and more. Monitoring this particular event is crucial as the information regarding logon type is not found in DCs.
This event signals the end of a logon session.
This event, like event 4634, signals that a user has logged off; however, this particular event indicates that the logon was interactive or RemoteInteractive (remote desktop).
This event documents every failed attempt to log on to the local computer, including information on why the logon failed (bad username, expired password, expired account, etc.) which is useful for security audits.
All the event IDs mentioned above have to be collected from individual machines. If you're not concerned with the type of logon or when users log off, you can simply track the following event IDs from your DCs to find users' logon history.
This event is generated when the DC grants an authentication ticket (TGT). That means a user has entered the correct username and password, and their account passed status and restriction checks. If the ticket request fails (account is disabled, expired, or locked; attempt is outside of logon hours; etc.), then this event is logged as a failed logon attempt.
This event means that the ticket request failed, so this event can be considered a logon failure.
You probably noticed that logon and logoff activity are denoted by different event IDs. To tie these events together, you need a common identifier.
The logon ID is a number (unique between reboots) that identifies the most recently initiated logon session. Any subsequent activity is reported with this ID. By associating logon and logoff events with the same logon ID, you can calculate the logon duration.
This means you have to collect information from DCs as well as workstations and other Windows servers to get a complete overview of all logon and logoff activity within your environment. The process is painstaking and could quickly get frustrating.
So, what if there was an easier way to audit logon activity? A tool like ADAudit Plus audits specific logon events as well as current and past logon activity to provide a list of all logon-related changes.
This information is provided on an easily understandable web interface that displays statistical information through charts, graphs, and a list view of canned and customized reports.
User logon activity report
To learn more about how ADAudit Plus can help you with all your Active Directory auditing needs, please visit: here
Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free