Understanding what your users are doing in your critical systems is a crucial part to identify potential security breaches/suspicious behavior. In this article, we’ll discuss two methods for tracking user logon sessions; the native auditing method (Event Log) and an automated solution (LepideAuditor).

Step 1: Configure the Audit Policies

Steps:

Go to “Start” ➔ “All Programs” ➔ “Administrative Tools”. Double-click “Group Policy Management” to open its window.

In the “Group Policy Management” console navigate to “Forest” ➔ “Domains” ➔ “www.domain.com”.

Under “Domain Controllers” node, right-click any customized policy. Click “Edit” to access the “Group Policy Management Editor”.

Note: We recommend that you create a new GPO, link it to the domain and edit it.

Go to “Computer configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies” ➔ “Logon/Logoff”.

Figure 1: Group Policy Management Editor

You have to configure the following policies:

  • Audit Logon
  • Audit Logoff
  • Audit Other Logon/Logoff

Double-click “Audit Logon” to access its properties.

Click to select “Configure the following audit events”.

To audit successful and failed events, click both “Successful” and “Failure” checkboxes.

Click “Apply” and “Ok”. Repeat the steps for “Audit Logoff” and “Audit Other Logon/Logoff” policies.

Close “Group Policy Management Editor”.

In “Group Policy Management Console”, select the GPO that you have modified. In “Security Filtering” section in the right pane, click “Add” to add “Everyone” for applying this policy to all Active Directory objects.

Figure 2: Group Policy Management Console

Close “Group Policy Management Console”.

At the “Run” prompt or in “Command Prompt”, run the following command to update the group policies.


gpupdate /force

Step 2: Track logon session using Event logs

Perform the following steps in the Event Viewer to track session time:

Go to “Windows Logs” ➔ “Security”.

Open “Filter Current Log” on the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs.

  • 4624 – Logon (Whenever an account is successfully logged on)
  • 4647 – Logoff (When an account is successfully logged off)
  • 4634 – Logon session end time
  • 4800 – System was locked
  • 4801 – System was unlocked

Double-click the event ID 4648 to access “Event Properties”. The session start time is displayed as “Logged”.

Figure 3: User logon - Event Properties

Let’s use an example to get a better understanding. In the “Event Properties” given above, a user with the account name “TestUser1” had logged in on 11/24/2017 at 2:41 PM. The session end time (can be obtained using the Event ID 4647) is 11/24/2017 at 03:02 PM.

Figure 4: User Logoff – Event properties

You can obtain the user’s logon session time using these details.

This process becomes quite complicated and time-consuming when you have to the track logon session time for multiple users. In the majority of cases, it simply isn’t practical to rely on event logs for this information. To get the exact session time; you need to consider the very first logon and logoff time displayed in the event properties.

LepideAuditor – Simplifying your auditing needs

With a cutting-edge auditing solution, like LepideAuditor for Active Directory, monitoring and controlling the network activities of your organization is simple. We offer real-time reports with granular details of all the event activities. The Logon/Logoff reports generated by LepideAuditor mean that tracking user logon session time for single or multiple users is essentially an automated process.

The screenshot given below shows a report generated by LepideAuditor for Logon/Logoff activities:

Figure : LepideAuditor Successful User logon/logoff report

Conclusion

In this article, the steps to audit the user logon and logoff events through native auditing are explained. However, much noise is generated for the logon or logoff events that make it complicated for the IT administrators to have a real-time view. The easiest and more efficient way to audit the same with LepideAuditor has also been explained. To try LepideAuditor for yourself, download the free trial version today.



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.