With Native AD Auditing
With ADAudit Plus
Recent user logon activity can be tracked by following the below mentioned steps:
Login to ADAudit Plus
Select the required Domain from the dropdown list
Go to the Reports tab
Navigate to User Logon Reports
Select Recent User Logon Activity
The following are some of the details you can get in this report:
User Name - Name of the user
Client IP Address - The IP address of the client machine
Client Host Name - Name of the client machine
Domain Controller - Name of domain controller into which the user logs in
Logon Time - The time at which user logon takes place
Event Type - Status of logon (success or failure)
Failure Reason - This field displays the reason for logon failure
SID - Security ID associated with logon event
With native AD auditing, here is how you can monitor the recent user logon activity:
Step 1: Enable 'Audit logon events' policy
Launch 'Server Manager' in your Windows Server instance.
Under Manage, select 'Group Policy Management' and launch the Group Policy Management console.
Navigate to Forest --> Domain --> Your domain --> Domain Controllers.
Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the 'Group Policy Management Editor'.
Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.
Under Audit Policy, turn auditing on for Success events of the following policies:
Audit account logon events
Audit account management
Audit logon events
Step 2: Track recent user logon activity in Event Viewer
Every time a user successfully logs on to a computer, an event log will be recorded in the Event Viewer. The event log can be used to track recent user logon activity. To view these audit logs, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.
To filter the event logs to view just the logs associated with user recent logon activity, select 'Create custom view' from the right pane. Simply search for the event ID 4624 (Account successful logon).
Select the created custom view Recent User Logon to get all the user logon success events. Sort the result based on Date and Time. You can see the most recent user logon on the top of the list.
The process needs to be repeated several times to get the recent logon information for different users.
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting withADAudit Plus.Get Your Free Trial Fully functional 30-day trial
ADAudit Plus is a comprehensive Active Directory auditing solution that will help you monitor, and audit local logon and logoffs by domain users. It can also track other critical events that can lead to network disruptions.
ADAudit Plus simplifies recent user logon activity tracking by offering you predefined user logon report along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides you the option to generate custom reports and export them in your preferred format (.pdf, .xls, .html and .csv).