How to track recent user logon activity?

Users logging into their domains may seem like a trivial day-to-day activity. But, keeping track of user logon activities enables an organization to monitor anomalous behavior exhibited by insiders, and helps in accelerating forensic analysis in case of a mishap.

Review recent user logon activity Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

Recent user logon activity can be tracked by following the below mentioned steps:

  • Login to ADAudit Plus

  • Select the required Domain from the dropdown list

  • Go to the Reports tab

  • Navigate to User Logon Reports

  • Select Recent User Logon Activity

  • The following are some of the details you can get in this report:

    1. User Name - Name of the user

    2. Client IP Address - The IP address of the client machine

    3. Client Host Name - Name of the client machine

    4. Domain Controller - Name of domain controller into which the user logs in

    5. Logon Time - The time at which user logon takes place

    6. Event Type - Status of logon (success or failure)

    7. Failure Reason - This field displays the reason for logon failure

    8. SID - Security ID associated with logon event

With native AD auditing, here is how you can monitor the recent user logon activity:

  • Step 1: Enable 'Audit logon events' policy
  • Launch 'Server Manager' in your Windows Server instance.

  • Under Manage, select 'Group Policy Management' and launch the Group Policy Management console.

  • Navigate to Forest --> Domain --> Your domain --> Domain Controllers.

  • Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the 'Group Policy Management Editor'.

  • Navigate to Computer Configuration -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.

  • Under Audit Policy, turn auditing on for Success events of the following policies:

    1. Audit account logon events

    2. Audit account management

    3. Audit logon events

  • Step 2: Track recent user logon activity in Event Viewer
  • Every time a user successfully logs on to a computer, an event log will be recorded in the Event Viewer. The event log can be used to track recent user logon activity. To view these audit logs, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below.

  • To filter the event logs to view just the logs associated with user recent logon activity, select 'Create custom view' from the right pane. Simply search for the event ID 4624 (Account successful logon).

  • Select the created custom view Recent User Logon to get all the user logon success events. Sort the result based on Date and Time. You can see the most recent user logon on the top of the list.

    The process needs to be repeated several times to get the recent logon information for different users.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting withADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

ADAudit Plus is a comprehensive Active Directory auditing solution that will help you monitor, and audit local logon and logoffs by domain users. It can also track other critical events that can lead to network disruptions.

ADAudit Plus simplifies recent user logon activity tracking by offering you predefined user logon report along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides you the option to generate custom reports and export them in your preferred format (.pdf, .xls, .html and .csv).

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.