Before getting into the specifics, I would like to give a small introduction on tracking Logon / Logoff in Active Directory environment, which is a cumbersome process.
Auditing the Windows Active Directory environment
With the current Windows architecture it’s difficult to get all logon data at a single point. In an AD environment, a Domain Controller (DC) is the one which does the real authentication. When there are multiple DCs in a setup, handling the authentication mechanism, the logon data (please note only the logon data) is available in different computers (read as DCs). So to compute a clear logon activity collecting all these data is essential. Also another pain point here is distinguishing between a user’s real logon (interactive logon) and other types of logons (network, batch, service, unlock, remote-interactive etc.,).
The auditing design by Windows is like debug prints, we put in a source code, wherein, when the code encounters the “auditing” setting, then there’s a print on the corresponding activity,
Debug(“Auth Toke requested for %s”, __user);
|echo logon, %username%, %computername%, Úte%, %time% >> omegalogonlogon.log|
|echo logoff, %username%, %computername%, Úte%, %time% >> omegalogonlogoff.log|
Where “omega” is a Server with a share folder called “logon”. In this setting, when a user logs on or logs off, an entry is automatically made into “logon.log” and “logoff.log” respectively.
ADAudit Plus is capable of collecting logon/logoff information from DCs, Member Servers, File Servers, this workaround is only for Workstations. The feature to collect the logon information from Workstations is currently under progress and is expected to be released soon.
Also if you have any doubts or questions regarding ADAudit Plus you can send us an email to “email@example.com”
The original article/video can be found at Tracking Workstation Logon/Logoff using ADAudit Plus