Tracking Username and IP Address in Active Directory
In a secure environment such as an organization, the resources being accessed by users must be tracked by the administrators from time to time. This helps in maintaining the security of an organization, as the administrators have a record of which user has logged on or has accessed a particular resource. This process is referred to as auditing. This can be done to track the logon, logoff, or other similar activities of users. The following sections describe how to find which user has logged on and also find the IP address from which they logged on.
Tracking user logon events using Active Directory Security Logs
The server administrator can use the Active Directory security logs to keep track of the users who logged in, see when they logged and what files were accessed. The user logon information can be collected in the domain controller logs by enabling the audit policy for the user logon events. This involves applying the Audit Logon policy to Active Directory objects and tracking logon events using Event Viewer.
The Audit Logon policy can be applied using the following steps.
- Open the Group Policy Management Console by navigating to Start and typing gpmc.msc.
- From the Group Policy Management Console, select the Default Domain Policy option and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.
- Enable the Audit Logon and Audit Other Logon/Logoff policies.
- Double click on Audit Logon. This opens its properties.
- Click on the Configure the following audit events checkbox.
- Click on the Success and Failure checkboxes to audit both the successful and failed events in the security log.
- Click on Apply and then OK.
- The same steps are to be repeated for the Audit Other Logon/Logoff Events.
- Close the Group Policy Management Editor and in the GPMC, select the Group Policy Object that was modified.
- Navigate to the Security Filtering section and select Add and Everyone and close the GPMC. This applies the policy to all the objects in Active Directory.
To update the group policies, run the gpupdate /force command in Command Prompt.
The Windows Event Viewer is an administrative tool that helps to keep track of events, errors, and other important messages. The information is stored in a series of logs called the Event logs. There are five different types of events that may be logged namely Information, Warning, Error, Success Audit, and Failure Audit.
Once the audit policies have been configured, the logon activities can be tracked using the Event Viewer. This can be done using the following steps.
- Click on Start and select Administrative Tools > Event Viewer.
- Navigate to Windows logs > Security.
- From the right pane, open Filter Current Log and set filters for the appropriate event IDs. Event ID 4624 indicates a successful login by the user, while 4647 indicates a successful logoff. Event 4648 is generated when a process explicitly specifies the credentials of an account and attempts a logon. Double click on this event to access the Event Properties.
- In the Account Logon category, right-click on the Success Audit log and select Open. This displays the username that logged on, including the date and time of occurrence. The Client Address specifies the IP address of the user.
Tracking User Logon Events using PowerShell
The Get-Eventlog PowerShell cmdlet can be used to get all the events from the event log of the domain controller and filtering them by their Event IDs. This also displays information such as the time and computer that was used for the event.