How to Spot which Users are Logged in and Track their Logon/Logoff times

How to Spot which Users are Logged in and Track their Logon/Logoff times

How to Track User Logon and Logoff Events in Active Directory

User logon and logoff are events that happen on an everyday basis in an organization. Administrators need to track the user logon and logoff activities as these events also play an important role in identifying security threats and other suspicious activities.  Besides this, the information obtained by seeing which users are logged in and the time at which they logon or logoff can be used for a wide range of purposes. Some of these include maintaining the attendance records of employees, identifying suspicious logon or logoff activities, determining the peak logon and logoff times, calculating the total number of users logged in at a given time, and many other requirements.

In Active Directory, the users who are logged and the time of their logon or logoff events can be seen using the following methods.
  1. By configuring Audit Policies using GPMC and Event Viewer
  2. By using PowerShell commands
  3. By using Attribute Editor to find user logon or logoff time

Configuring Audit Policies using GPMC and Event Viewer

The first step in getting the Active Directory user logon/ logoff report is to enable the Active Directory Audit Policies. This can be done using the Group Policy Management Console (GPMC) by following the steps given below.
  1. Open the Group Policy Management Console (GPMC).
  2. Create a new Group Policy Object (GPO) and navigate to the Group Policy Management Editor.
  3. Go to Computer Configuration > Policies > Windows Settings > Security Settings >Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
  4. Configure the following audit policies to track user logon and logoff.
    1. Audit Logon
    2. Audit Logoff
    3. Audit Other Logon/Logoff Events
  5. Double click on Audit Logon and select Configure the following audit events.
  6. Check the Success and Failure checkboxes to register both successful and failed events in the Security log. Click Apply and OK.
  7. Repeat the same procedure for the Audit Logoff and Audit Other Logon/Logon Events policies and close the Group Policy Management Editor.
  8. To apply this policy to all the Active Directory objects, select the modified GPO and go to the Security Filtering section on the right pane of the Group Policy Management Console. Select Everyone and click on Add.
  9. Save the changes in the GPO and close the Group Policy Management Console.  
  10. Run the following command to update the group policies.
  11. gpupdate /force
Once the appropriate audit policies have been enabled, the administrator can see which users have logged in or logged off and the time of these logon or logoff events by means of the Event Viewer. This can be done by following the instructions given below.
  1. Open Event Viewer by going to Start > Administrative Tools.
  2. Navigate to Windows logs > Security.
  3. Open Filter Current Log and set the filters or search for the Event IDs given as follows.
  4. Event ID 4624 – Logon
  5. Event ID 4647 – Logoff
  6. Event ID 4634 – Logon session end time
  7. Double click Event ID 4848 for accessing the Event Properties. This gives the details of the user, their logon activity and the time of logon or logoff.
  8. Similarly, the appropriate Event IDs can be selected to view the user logon or logoff time and other details.

Tracking User Logon and Logoff Events using PowerShell

The user logon and logoff events and their time can be tracked using PowerShell commands. The Get-EventLog command can be used to obtain all the events from the event logs of the domain controller and filter them by the required Event IDs. The logon time can also be viewed.

Finding the User Logon or Logoff Time using Attribute Editor
The Attribute Editor can be used to find the last logon on logoff time of a specific user, by following the steps given below.
  1. Open Active Directory Users and Computers and ensure that the Advanced Features is enabled.
  2. Locate the desired user account for which the logon/logoff time needs to be checked and open it.
  3. In the Properties window, click on the Attribute Editor tab.
  4. The last Logon and last Logoff attributes specify the time of the last logon or logoff event.
  5. However, this method can be used only for tracking the logon or logoff time for single-user accounts.
  6. This can also be done using the following PowerShell command.
  7. Get-ADUser-Identity “username”-Properties “LastLogonDate”
Here, username specifies the required user account and thus the logon time for the required user is displayed.
    • Related Articles

    • How to create a Group Policy to Force Logoff Users

      Force Logoff Users after Inactivity using Active Directory Group Policy In an organization with many user accounts, some users might forget to log off from the server. Sometimes users may be logged in long after their work has been completed. Besides ...
    • How to Track Down Inactive Users in Active Directory

      Failing to keep check of inactive users in your Active Directory environment can pose potential security risk in addition to the space that it takes up on your database. Compliance audits like the SOX requires administrators to track down and disable ...
    • Finding AD Users with No Logon Script Using PowerShell

      PowerShell Script to Find Users with No Logon Script Login scripts failing to configure is one of the most commonly seen errors when user accounts are provisioned in Active DirectoryThis is especially true when user accounts are provisioned in ...
    • How to Add a Logon Banner using Group Policy

      Configuring Logon Banners/ Legal Notices using Active Directory GPO In an organization, logon banners are used to provide warnings to users who access systems for illegal purposes or in an unauthorized manner. They also contain information for ...
    • Track Down Active Directory Attack Attempts

      A large number of failed logon attempts within a short span of time usually indicates a security threat. This is why, it is essential for administrators to keep an eye out for such events and get to the root of the source of the failed logons. This ...