By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Track User Logon History in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track User Logon History in Active Directory

 

2. Step 1: Configure the Audit Policies

  • Go to “Start” âž” “All Programs” âž” “Administrative Tools”. Double-click “Group Policy Management” to open its window.
  • In the “Group Policy Management” console navigate to “Forest” âž” “Domains” âž” “www.domain.com”.
  • Under “Domain Controllers” node, right-click any customized policy. Click “Edit” to access the “Group Policy Management Editor”.Note: We recommend that you create a new GPO, link it to the domain and edit it.
  • Go to “Computer configuration” âž” “Policies” âž” “Windows Settings” âž” “Security Settings” âž” “Advanced Audit Policy Configuration” âž” “Audit Policies” âž” “Logon/Logoff”.
Figure 1: Group Policy Management Editor
  • You have to configure the following policies:
  • Audit Logon
  • Audit Logoff
  • Audit Other Logon/Logoff
  • Double-click “Audit Logon” to access its properties.
  • Click to select “Configure the following audit events”.
  • To audit successful and failed events, click both “Successful” and “Failure” checkboxes.
  • Click “Apply” and “Ok”. Repeat the steps for “Audit Logoff” and “Audit Other Logon/Logoff” policies.
  • Close “Group Policy Management Editor”.
  • In “Group Policy Management Console”, select the GPO that you have modified. In “Security Filtering” section in the right pane, click “Add” to add “Everyone” for applying this policy to all Active Directory objects.
Figure 2: Group Policy Management Console
  • Close “Group Policy Management Console”.
  • At the “Run” prompt or in “Command Prompt”, run the following command to update the group policies.gpupdate /force

3. Step 2: Track Active Directory User Login history using Event logs

Perform the following steps in the Event Viewer to track session time:

  • Go to “Windows Logs” âž” “Security”.
  • Open “Filter Current Log” on the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs.Event IDDescription4624Logon (Whenever an account is successfully logged on)4647Logoff (When an account is successfully logged off)4634Logon session end time4800System was locked4801System was unlocked
  • Double-click the event ID 4648 to access “Event Properties”. The session start time is displayed as “Logged”.
  • Let’s use an example to get a better understanding. In the “Event Properties” given above, a user with the account name “TestUser1” had logged in on 11/24/2017 at 2:41 PM. The session end time (can be obtained using the Event ID 4647) is 11/24/2017 at 03:02 PM.

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE