How to Track User Logon Session Time in Active Directory

Track User Logon Session Time with Lepide Active Directory Auditor
x
Or Deploy With Our Virtual Appliance
4 min read | Updated On - April 18, 2023
In This Article

Understanding what your users are doing in your critical systems is a crucial part to identify potential security breaches/suspicious behavior. In this article, we’ll discuss two methods for tracking user logon session time; the native auditing method (Event Log) and an automated solution Lepide Active Directory Auditor.

Step 1: Configure the Audit Policies

  • Go to “Start” ➔ “All Programs” ➔ “Administrative Tools”. Double-click “Group Policy Management” to open its window.
  • In the “Group Policy Management” console navigate to “Forest” ➔ “Domains” ➔ “www.domain.com”.
  • Under the “Domain Controllers” node, right-click any customized policy. Click “Edit” to access the “Group Policy Management Editor”.

    Note: We recommend that you create a new GPO, link it to the domain and edit it.

  • Go to “Computer configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies” ➔ “Logon/Logoff”.
    Figure 1: Group Policy Management Editor
  • You have to configure the following policies:
    • Audit Logon
    • Audit Logoff
    • Audit Other Logon/Logoff
  • Double-click “Audit Logon” to access its properties.
  • Click to select “Configure the following audit events”.
  • To audit successful and failed events, click both the “Successful” and “Failure” checkboxes.
  • Click “Apply” and “Ok”. Repeat the steps for the “Audit Logoff” and “Audit Other Logon/Logoff” policies.
  • Close “Group Policy Management Editor”.
  • In “Group Policy Management Console”, select the GPO that you have modified. In the “Security Filtering” section in the right pane, click “Add” to add “Everyone” for applying this policy to all Active Directory objects.
    Figure 2: Group Policy Management Console
  • Close “Group Policy Management Console”.
  • At the “Run” prompt or in “Command Prompt”, run the following command to update the group policies.

    gpupdate /force

Step 2: Track Active Directory User Logon Session Time using Event logs

Perform the following steps in the Event Viewer to track session time:

  • Go to “Windows Logs” ➔ “Security”.
  • Open “Filter Current Log” on the rightmost pane and set filters for the following Event IDs. You can also search for these event IDs.
    Event ID Description
    4624 Logon (Whenever an account is successfully logged on)
    4647 Logoff (When an account is successfully logged off)
    4634 Logon session end time
    4800 System was locked
    4801 System was unlocked
  • Double-click the event ID 4648 to access “Event Properties”. The session start time is displayed as “Logged”.
    Figure 3: User logon – Event Properties

    Let’s use an example to get a better understanding. In the “Event Properties” given above, a user with the account name “TestUser1” had logged in on 11/24/2017 at 2:41 PM. The session end time (which can be obtained using the Event ID 4647) is 11/24/2017 at 03:02 PM.

    Figure 4: User Logoff – Event properties

    You can obtain the user’s logon session time using these details.

This process becomes quite complicated and time-consuming when you have to track logon session time for multiple users. In the majority of cases, it simply isn’t practical to rely on event logs for this information. To get the exact session time; you need to consider the very first logon and logoff time displayed in the event properties.

How to Use Lepide Active Directory Auditor to check User Logon Session Time

With cutting-edge Active Directory auditing software, like Lepide Auditor for Active Directory, monitoring and controlling the network activities of your organization is simple. Lepide offers real-time reports with granular details of all event activities. The Logon/Logoff reports generated by Lepide Active Directory Auditor mean that tracking user logon session time for single or multiple users essentially becomes an automated process.

The screenshot given below shows a report generated for Logon/Logoff activities:

Lepide Logon Logoff AD Report
Figure : Successful User logon/logoff report

Why You Need to Be Using Lepide to Audit Logon/Logoff Events

In this article, we went through the steps you need to take if you want to audit logon/logoff events using the Event Logs themselves. Clearly, this is not the most effective and sensible way to conduct your Active Directory auditing. Event logs are noisy, they don’t contain a lot of contexts, and for more complex auditing tasks, they simply do not provide enough information to be of any use.

The easier and more efficient way to audit logon/logoff activities, along with other critical events in Active Directory, is to use Lepide. To try Lepide’s AD auditing software for yourself, download the free trial version using the form below:

Check out our AD Auditing Solution
x
Or Deploy With Our Virtual Appliance
Learn More

Track User Logon Session Time with Lepide Active Directory Auditor

x
Or Deploy With Our Virtual Appliance
Learn More