Tracking Workstation Logon/Logoff using ADAudit Plus

Before getting into the specifics, I would like to give a small introduction on tracking Logon / Logoff in Active Directory environment, which is a cumbersome process.

Auditing the Windows Active Directory environment

Logon Auditing

With the current Windows architecture it’s difficult to get all logon data at a single point. In an AD environment, a Domain Controller (DC) is the one which does the real authentication. When there are multiple DCs in a setup, handling the authentication mechanism, the logon data (please note only the logon data) is available in different computers (read as DCs). So to compute a clear logon activity collecting all these data is essential. Also another pain point here is distinguishing between a user’s real logon (interactive logon) and other types of logons (network, batch, service, unlock, remote-interactive etc.,).

The auditing design by Windows is like debug prints, we put in a source code, wherein, when the code encounters the “auditing” setting, then there’s a print on the corresponding activity,

   Debug(“Auth Toke requested for %s”, __user);

Logoff Auditing

Logoff auditing is altogether a different territory to conquer; it has nothing to do with the authenticating servers (DCs). In fact, this activity log is never available with the DCs. As it’s a local computer activity, the logoff information is available only with the corresponding Workstation / Server event logs. So, you are forced to gather logoff information from each and every computer on the network. Scalability comes into picture, and so you are driven to an agent oriented methodology, where each agent sits in a workstation, collects and pushes required logoff information to the main server.

Let us part from the introduction and proceed to the audit solution.

Logon/Logoff via File Server with ADAudit Plus

Apart from the AD Change auditing capabilities, ADAudit Plus also has a “File Server” auditing feature, where shares are tracked and reported on File creation/modification/deletion/permission changes etc., One of our customers’ had very intelligently used this feature to compute logon/logoff in his environment.

He had put a simple logon script with the following code and assigned it to every user in AD through a GPO,
echo logon, %username%, %computername%, Úte%, %time% >> omegalogonlogon.log

A similar logoff script with the following code, the name of the scripts were “logon.cmd” and “logoff.cmd”

echo logoff, %username%, %computername%, Úte%, %time% >> omegalogonlogoff.log

Where “omega” is a Server with a share folder called “logon”. In this setting, when a user logs on or logs off, an entry is automatically made into “logon.log” and “logoff.log” respectively.

Now using the File Server audit feature, he configured the server “omega” and included the share “logon” for auditing. Thus whenever a user does a logon/logoff, the files “logon.log” and “logoff.log” change; is audited by ADAudit Plus!  The interesting part here is the entry put in the file happens on the user’s credential who is doing the login/logout.  Consequently, username is filled in “who modified” the file in the event log.

This enabled our customer to get a report like this,

ADAudit Plus is capable of collecting logon/logoff information from DCs, Member Servers, File Servers, this workaround is only for Workstations.  The feature to collect the logon information from Workstations is currently under progress and is expected to be released soon.

Also if you have any doubts or questions regarding ADAudit Plus you can send us an email to “”

You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at Tracking Workstation Logon/Logoff using ADAudit Plus

About the Author: Shannon Lewis

Leave a Reply Cancel reply