Get Better Track User Logon Logoff Active Directory Results

Get Better Track User Logon Logoff Active Directory Results

The user logon and logoff active directory can be tracked by running a simple script in PowerShell which you can Google. The script collects and displays all the logon and logoff events from multiple computers. Or you can also install a third party software for the same if you want the real-time monitoring of a computer. The user logon and logoff duration also helps in the IT troubleshooting.

Get Better Track User Logon Logoff Active Directory Results

If you want to track the logon session of users in Active Directory, here’s one way without paying for a service. To do this, you need to configure the Audit Policies first. Click “Start,” “All Programs,” “Administrative Tools” then double-click “Group Policy Management.” In “Group Policy Management” screen, navigate to “Forest,” “Domains,” “www.domain.com” then under “Domain Controllers” node, right-click any custom or customized policy then select “Edit.”

This will access the “Group Policy Management Editor.” Note: it is recommended that you create a new GPO, link it to the domain, and edit it. In “Group Policy Management Editor,” navigate to “Computer configuration,” “Policies,” “Windows Settings,” “Security Settings,” “Advanced Audit Policy Configuration,” “Audit Policies” then “Logon/Logoff.” After this, you have to configure the following policies:

• Audit Logon
• Audit Logoff
• Audit Other Logon/Logoff

Double-click “Audit Logon” to open the “Properties” then click to select “Configure the following audit events.” Check both “Successful” and “Failure” boxes to audit successful and failed events. Click “Apply” then “OK.” Repeat the same steps for “Audit Logoff” and “Audit Other Logon/Logoff” policies. When you are finished, exit “Group Policy Management Editor.” Next, in “Group Policy Management Console,” select the GPO that you have modified.

In “Security Filtering” section in the right pane, click “Add” to add “Everyone” for applying this policy to all Active Directory objects. When you are finished, exit “Group Policy Management Console.” Open the command prompt then run the following command to update the group policies:

gpupdate /force

When it is finished, the next thing to do is to track logon session using Event logs. Go to Event Viewer then navigate to “Windows Logs” then “Security.” Open “Filter Current Log” located in the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs:

• 4624
  • Logon (Whenever an account is successfully logged on)
• 4647
  • Logoff (When an account is successfully logged off)
• 4634
  • Logon session end time
• 4800
  • System was locked
• 4801
  • System was unlocked

Locate and double-click the event ID 4648 to access “Event Properties.” The session start time is displayed as “Logged.”