Get Better Track User Logon Logoff Active Directory Results

Asked By 0 points N/A Posted on -
qa-featured

Is there any other way except the Event viewer to track user Logon Logoff active directory? How can I monitor the user logon and logoff active directory?

SHARE
Answered By 0 points N/A #157455

Get Better Track User Logon Logoff Active Directory Results

qa-featured

The user logon and logoff active directory can be tracked by running a simple script in PowerShell which you can Google. The script collects and displays all the logon and logoff events from multiple computers. Or you can also install a third party software for the same if you want the real-time monitoring of a computer. The user logon and logoff duration also helps in the IT troubleshooting.

Answered By 590495 points N/A #343653

Get Better Track User Logon Logoff Active Directory Results

qa-featured

If you want to track the logon session of users in Active Directory, here’s one way without paying for a service. To do this, you need to configure the Audit Policies first. Click “Start,” “All Programs,” “Administrative Tools” then double-click “Group Policy Management.” In “Group Policy Management” screen, navigate to “Forest,” “Domains,” “www.domain.com” then under “Domain Controllers” node, right-click any custom or customized policy then select “Edit.”

This will access the “Group Policy Management Editor.” Note: it is recommended that you create a new GPO, link it to the domain, and edit it. In “Group Policy Management Editor,” navigate to “Computer configuration,” “Policies,” “Windows Settings,” “Security Settings,” “Advanced Audit Policy Configuration,” “Audit Policies” then “Logon/Logoff.” After this, you have to configure the following policies:

  • Audit Logon
  • Audit Logoff
  • Audit Other Logon/Logoff

Double-click “Audit Logon” to open the “Properties” then click to select “Configure the following audit events.” Check both “Successful” and “Failure” boxes to audit successful and failed events. Click “Apply” then “OK.” Repeat the same steps for “Audit Logoff” and “Audit Other Logon/Logoff” policies. When you are finished, exit “Group Policy Management Editor.” Next, in “Group Policy Management Console,” select the GPO that you have modified.

In “Security Filtering” section in the right pane, click “Add” to add “Everyone” for applying this policy to all Active Directory objects. When you are finished, exit “Group Policy Management Console.” Open the command prompt then run the following command to update the group policies:

gpupdate /force

When it is finished, the next thing to do is to track logon session using Event logs. Go to Event Viewer then navigate to “Windows Logs” then “Security.” Open “Filter Current Log” located in the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs:

  • 4624
    • Logon (Whenever an account is successfully logged on)
  • 4647
    • Logoff (When an account is successfully logged off)
  • 4634
    • Logon session end time
  • 4800
    • System was locked
  • 4801
    • System was unlocked

Locate and double-click the event ID 4648 to access “Event Properties.” The session start time is displayed as “Logged.”

Related Questions