How to track user logon-logoff time in Active Directory

Step 1: Enable Audit Policy

• Open 'Server Manager' on your Windows server.
• Under the 'Manage' tab, click on 'Group Policy Management' to open the 'Group Policy Management Console'.
• Navigate to Forest>Domain>Your Domain>Domain Controllers.
• You can choose to either edit an existing group policy object or create a new one.
• In the Group Policy Editor, navigate to Computer Configuration> Windows Settings>Security Settings>Local Policies>Audit Policy.
• In Audit Policy, select 'Audit logon events' and enable it for 'Success' and 'Failure'.
  

Step 2: Enable logon-logoff

• Go back to Computer Configuration and navigate to Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policy> Logon/Logoff.
• Under that, configure 'Audit Logon', 'Audit Logoff' and 'Audit Special Logon' and enable them for 'Success' and 'Failure'.
• Open the Group Policy Management Console and select the GPO that you have edited or created. In the right pane, under Security Filtering, add the users whose logons need to be audited. If you want to audit everyone, the option is available. On the other hand, if you want to audit a specific group of people, the group can also be added.
  

Step 3: Use Active Directory Event Viewer to check the logs

Once logon auditing is enabled, Active Directory Event Viewer records them as events with specific event IDs. To view the events, open Event Viewer, navigate to Windows Logs> Security. Look for event IDs 4624 (Account was logged on), 4634 (Account was logged off), 4647 (user initiated logoff) and 4672 (special logon), 4800 (the workstation was locked), 4801 (workstation was unlocked).

Click on 'Filter Current Log', on the right side to filter the logs based on event IDs or the time range for which you need the information.