September 27, 2016

Active Directory User Logon Time and Date

This post explains where to look for user logon events in the event viewer and how we can write out logon events to a text file with a simple script.
Domain Controller
To view AD user logon times, set ‘Audit Logon events’ to ‘Success’ in the Default Domain Controllers Policy. When a user logs on you will receive the Event ID 540 (2003) or Event ID 4624 (2008) in the security log of the logonserver used.
Server 2003
Event ID 540
Server 2008
EventID 4624 DC
Computer
Again, ‘Audit Logon events’ needs to be set to success, you can do this in the Default Domain Policy. When a user logs on you will receive the Event ID of 528 (XP) or Event ID 4624 (W7) in the security log of the local computer.
XP
Event ID 528
Windows 7
EventID 4624 W7
Write Logons to Text File
This is a nice method for quickly viewing and searching for a User logon event within a single text file. Create a logon script and apply this to all users in your domain.

@ECHO OFF
echo %logonserver% %username% %computername% %date% %time% >> \\server\share$\logon.txt
exit
This outputs the logonserver (server the user authenticated against), username, computername, date and time to a file called logon.txt. This method isn’t particularly secure, as users will need to have the permissions to write to the file, you can put it in a hidden share like I have done above which adds a slight level of security (by obscurity), but it’s something to be aware of.
Now you can open this single file and view all user logons. You could do the same for logoff if is you so desired.
Logon.txt
Brucey Bonus
If you’d like to view the ‘live update’ of this text file you can use an application called Tailme. This polls updates and adds them to a new line, quite handy if you are looking for a particular user to logon or if you want to see if that user has really restarted their machine…
You can set it to sit in the tray and a single click will bring it up. Here is the config I use.
Tailme Logon

Reference; https://blog.thesysadmins.co.uk/active-directory-user-logon-time-and-date-2.html

0 comments:

Post a Comment