Know How to Track AD user Logon and logoff activity

Users logging on or off into their domain computers is a very routine activity that occurs in any enterprise. However, just like any other activity this might look a simple Active Directory event but administrators could very well make use of this valuable data for different audit, compliance and operational needs. There are occasions when an organization looks out for audit details on User Logons and Logoffs for various operational requirements such as:

• Find out users who accessed or made an attempt to access Workstations or Domain controllers through a remote network computer.
• Determine peak login times for specific user in the domain.

In addition, there are many more practical demands in an Active Directory network that necessitate audit information on domain account logons. An irregularity in the usage of the network by users is always a big concern for administrators. A failed logon attempt is a measure to spot and identify an indiscretion.

Automated and complete tracking user activity is never an easy job, but at the same time it is very important. In fact, these days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.

The steps you need to follow to track AD user logon and logoff activity has been explained below:

Set up a Share on the network

First of all, create and share a folder with full access permissions for everyone, as well as full NTFS permissions for users which you want to log. 

It is always suggested to make a hidden share \\server\share$\.

To make you understand, we are making use of two different folders in shared location, one for computers \\server\share$\Computers\ and another for users \\server\share$\Users\.

Create the batch files

• Create logon.bat with the contents below and put it in the \\server\share$\logon.bat. 
To achieve this task, run the following commands:

    ver >>\\server\share$\Computers\%computername%.txt

    This command returns OS version and writes it to computer_name.txt on your share.

    echo %username% logged on %date% - %time% >>\\server\share$\Computers\%computername%.txt

    This command writes username of logged on user provided with the date when the script was run and writes it to computer_name.txt on your share.

    ipconfig /all |findstr Address >>\\server\share$\Computers\%computername%.txt \\server\share$\Users\%username%.txt

    This command returns IP and Mac addresses of network connections and finally writes them to computer_name.txt on your share.

    echo %computername% logged on %date% - %time% >>\\server\share$\Users\%username%.txt
    ipconfig /all |findstr Address >>\\server\share$\Users\%username%.txt

    These commands write almost entire info into user_name.txt files \\server\share$\users.


•  Create logoff.bat along with the contents shown below and put it in the \\server\share$\logoff.bat
  
  echo %username% logged off %date% - %time% >>\\server\share$\Computers\%computername%.txtecho %computername% logged off %date% - %time% >>\\server\share$\Users\%username%.txt

Add the batch files to group policy

Now, the next step you require to follow is make run those .bat files every time users logon and logoff. To achieve this, the steps you require to follow are mentioned below:

1. Open Group Policy Management, Create and Link GPO to the OU where targeted users exist in.   
2. Now right click on that GPO and select Edit.
3. Navigate to User Configuration\Windows Settings\Scripts Logon/Logoff double click on Logon and click on Add.
4. Browse for logon.bat (\\server\share$\logon.bat) and click OK.

Now open Logoff click Add and navigate for logoff.bat (\\server\share$\logoff.bat) and click OK.

Finally, once you follow all the steps mentioned above, you will get a log file detailing when and where each user Logs On and Logs Off.

Limitations 

However, performing a track operation through a native active directory manual method has got its own limitations. Every logon detail is constantly logged in the security logs of the Active Directory Domain Controllers (DCs). Now, at times this data logged in the native Active Directory Domain Controllers

• Necessitates expertise to understand as it gets difficult to understand definite event numbers and their relationship to a logon action.
• Gets huge in volume. Every logon activity on / by any Active Directory object is constantly logged in the Domain Controller and after certain time this event log data piles up to a huge volume.

But, now you could very overcome such limitations with the help of a third party Active Directory auditor like LepideAuditor for Active Directory. The utility could provide you with an ideal solution to f audit specific logon events, current and past logon activity and lists all logon failures. It even allows you to generate specific reports based on defined objects, classes, operations and save them in CSV/PDF/MHT format. It performs real time auditing eliminating the requirement to collect changes manually.

Summary

These days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.