Wednesday, 11 April 2012

How to track users logon/logoff


The Auditing


Option 1:

1. Enable Auditing on the domain level by using Group Policy:

      Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
      There are two types of auditing that address logging on, they are Audit Logon Events and Audit Account Logon Events.

      Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).

      Audit "Account Logon" Events tracks logons to the domain, and the results appear in the Security Log on domain controllers only


2. Create a logon script on the required domain/OU/user account with the following content:

     echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >>
        \\SERVER\SHARENAME$\LOGON.LOG

3. Create a logoff script on the required domain/OU/user account with the following content:

     echo %date%,%time%,%computername%,%username%,%sessionname%,%logonserver% >>
        \\SERVER\SHARENAME$\LOGOFF.LOG


Note: Please be aware that unauthorized users can change this scripts, due the requirement that

                  the SHARENAME$ will be writeable by users.


Option 2:


Use WMI/ADSI to query each domain controller for logon/logoff events.

1 comments:

michel jon said...

Thanks for sharing the helpful post it describes stepwise information to track user logon and logoff activity. I found the similar post at http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/ which provides the procedure to audit logon/logoff (successful and failed) in active directory environment.

Post a Comment