How to track user logon-logoff time in Active Directory

Though logon times are easy to track in Active Directory, you will probably get a different last logon time on each of your domain controllers. This is because Active Directory domain controllers avoid replicating between each other every logon and logoff time as that would cause an enormous amount of traffic. Finding user logon times are however, important from both the security and productivity perspectives.

Monitoring User logon times can help mitigate dangerous security threats. For example, a user found to be spending too much time logged in during non-business hours could be a potential insider threat. Monitoring this user and checking on any unusual network activity in connection with them could avert a network breach. Therefore the importance of user logon events cannot be overstated.

ADAudit Plus, an Active Directory auditing and reporting tool has a special section dedicated to auditing logon events. These reports are generated by processing information from multiple events in Active Directory and therefore a one-stop solution for all your auditing woes. Generating these reports does not require any complex maneuvering - it is just a matter of a few clicks.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • Turn on Audit Policy and enable logon/logoff auditing as detailed in steps 1 and 2 from the native AD auditing section.

  • Click on the 'Reports' tab and then select 'Local logon-Logoff'. Here, there are multiple reports that give you the logon information you need and more. Logon activity shows the logon attempts, with the username, logon time, name of the workstation, type of logon among other examples. Logon Duration gives you the logon time, the logoff time and the duration of each logged in session. User Work Hours gives the total amount of time the user spent logged in to the workstation.

  • Here is a sample Logon Activity report:

  • Click on 'Advanced Search' at the top to filter the report. A variety of parameters such as Username, Event ID, Domain can be used to filter the report.

  • Step 1: Enable Audit Policy
  • Open 'Server Manager' on your Windows server.

  • Under the 'Manage' tab, click on 'Group Policy Management' to open the 'Group Policy Management Console'.

  • Navigate to Forest>Domain>Your Domain>Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration> Windows Settings>Security Settings>Local Policies>Audit Policy.

  • In Audit Policy, select 'Audit logon events' and enable it for 'Success' and 'Failure'.

  • Step 2: Enable logon-logoff
  • Go back to Computer Configuration and navigate to Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policy> Logon/Logoff.

  • Under that, configure 'Audit Logon', 'Audit Logoff' and 'Audit Special Logon' and enable them for 'Success' and 'Failure'.

  • Open the Group Policy Management Console and select the GPO that you have edited or created. In the right pane, under Security Filtering, add the users whose logons need to be audited. If you want to audit everyone, the option is available. On the other hand, if you want to audit a specific group of people, the group can also be added.

  • Step 3: Use Active Directory Event Viewer to check the logs
  • Once logon auditing is enabled, Active Directory Event Viewer records them as events with specific event IDs. To view the events, open Event Viewer, navigate to Windows Logs> Security. Look for event IDs 4624 (Account was logged on), 4634 (Account was logged off), 4647 (user initiated logoff) and 4672 (special logon), 4800 (the workstation was locked), 4801 (workstation was unlocked).

    Click on 'Filter Current Log', on the right side to filter the logs based on event IDs or the time range for which you need the information.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.