How to Track User Logon and Logoff Events in Active Directory
User logon and logoff are events that happen on an everyday basis in an organization. Administrators need to track the user logon and logoff activities as these events also play an important role in identifying security threats and other suspicious activities. Besides this, the information obtained by seeing which users are logged in and the time at which they logon or logoff can be used for a wide range of purposes. Some of these include maintaining the attendance records of employees, identifying suspicious logon or logoff activities, determining the peak logon and logoff times, calculating the total number of users logged in at a given time, and many other requirements.
In Active Directory, the users who are logged and the time of their logon or logoff events can be seen using the following methods.
- By configuring Audit Policies using GPMC and Event Viewer
- By using PowerShell commands
- By using Attribute Editor to find user logon or logoff time
Configuring Audit Policies using GPMC and Event Viewer
The first step in getting the Active Directory user logon/ logoff report is to enable the Active Directory Audit Policies. This can be done using the Group Policy Management Console (GPMC) by following the steps given below.
- Open the Group Policy Management Console (GPMC).
- Create a new Group Policy Object (GPO) and navigate to the Group Policy Management Editor.
- Go to Computer Configuration > Policies > Windows Settings > Security Settings >Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
- Configure the following audit policies to track user logon and logoff.
- Audit Logon
- Audit Logoff
- Audit Other Logon/Logoff Events
- Double click on Audit Logon and select Configure the following audit events.
- Check the Success and Failure checkboxes to register both successful and failed events in the Security log. Click Apply and OK.
- Repeat the same procedure for the Audit Logoff and Audit Other Logon/Logon Events policies and close the Group Policy Management Editor.
- To apply this policy to all the Active Directory objects, select the modified GPO and go to the Security Filtering section on the right pane of the Group Policy Management Console. Select Everyone and click on Add.
- Save the changes in the GPO and close the Group Policy Management Console.
- Run the following command to update the group policies.
- gpupdate /force
Once the appropriate audit policies have been enabled, the administrator can see which users have logged in or logged off and the time of these logon or logoff events by means of the Event Viewer. This can be done by following the instructions given below.
- Open Event Viewer by going to Start > Administrative Tools.
- Navigate to Windows logs > Security.
- Open Filter Current Log and set the filters or search for the Event IDs given as follows.
- Event ID 4624 – Logon
- Event ID 4647 – Logoff
- Event ID 4634 – Logon session end time
- Double click Event ID 4848 for accessing the Event Properties. This gives the details of the user, their logon activity and the time of logon or logoff.
- Similarly, the appropriate Event IDs can be selected to view the user logon or logoff time and other details.
Tracking User Logon and Logoff Events using PowerShell
The user logon and logoff events and their time can be tracked using PowerShell commands. The Get-EventLog command can be used to obtain all the events from the event logs of the domain controller and filter them by the required Event IDs. The logon time can also be viewed.
Finding the User Logon or Logoff Time using Attribute Editor
The Attribute Editor can be used to find the last logon on logoff time of a specific user, by following the steps given below.
- Open Active Directory Users and Computers and ensure that the Advanced Features is enabled.
- Locate the desired user account for which the logon/logoff time needs to be checked and open it.
- In the Properties window, click on the Attribute Editor tab.
- The last Logon and last Logoff attributes specify the time of the last logon or logoff event.
- However, this method can be used only for tracking the logon or logoff time for single-user accounts.
- This can also be done using the following PowerShell command.
- Get-ADUser-Identity “username”-Properties “LastLogonDate”
Here, username specifies the required user account and thus the logon time for the required user is displayed.