With Native AD Auditing
With ADAudit Plus
Turn on Audit Policy and enable logon/logoff auditing as detailed in steps 1 and 2 from the native AD auditing section.
Click on the 'Reports' tab and then select 'Local logon-Logoff'. Here, there are multiple reports that give you the logon information you need and more. Logon activity shows the logon attempts, with the username, logon time, name of the workstation, type of logon among other examples. Logon Duration gives you the logon time, the logoff time and the duration of each logged in session. User Work Hours gives the total amount of time the user spent logged in to the workstation.
Here is a sample Logon Activity report:
Click on 'Advanced Search' at the top to filter the report. A variety of parameters such as Username, Event ID, Domain can be used to filter the report.
Step 1: Enable Audit Policy
Open 'Server Manager' on your Windows server.
Under the 'Manage' tab, click on 'Group Policy Management' to open the 'Group Policy Management Console'.
Navigate to Forest>Domain>Your Domain>Domain Controllers.
You can choose to either edit an existing group policy object or create a new one.
In the Group Policy Editor, navigate to Computer Configuration> Windows Settings>Security Settings>Local Policies>Audit Policy.
In Audit Policy, select 'Audit logon events' and enable it for 'Success' and 'Failure'.
Step 2: Enable logon-logoff
Go back to Computer Configuration and navigate to Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policy> Logon/Logoff.
Under that, configure 'Audit Logon', 'Audit Logoff' and 'Audit Special Logon' and enable them for 'Success' and 'Failure'.
Open the Group Policy Management Console and select the GPO that you have edited or created. In the right pane, under Security Filtering, add the users whose logons need to be audited. If you want to audit everyone, the option is available. On the other hand, if you want to audit a specific group of people, the group can also be added.
Step 3: Use Active Directory Event Viewer to check the logs
Once logon auditing is enabled, Active Directory Event Viewer records them as events with specific event IDs. To view the events, open Event Viewer, navigate to Windows Logs> Security. Look for event IDs 4624 (Account was logged on), 4634 (Account was logged off), 4647 (user initiated logoff) and 4672 (special logon), 4800 (the workstation was locked), 4801 (workstation was unlocked).
Click on 'Filter Current Log', on the right side to filter the logs based on event IDs or the time range for which you need the information.
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial