By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Audit Who Logged into a Computer and When in Windows Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Audit Who Logged into a Computer and When in Windows Active Directory

 

2. Enable Native Auditing of User Logon/Logoff Events

Audit Logon Events: This setting generates events for starting and ending logon sessions. These events happen on the machine where you log in.

Audit Account Logon Events: This setting generates events on the computer that validates logons. When a domain controller authenticates a domain user account, events are generated and stored on that domain controller.

Below are the steps to enable auditing of user Logon/Logoff events

  • Step 1 – Open “Group Policy Management” console by running the “gpmc.msc” command.
  • Step 2 – If you want to configure auditing for the entire domain, right-click on the domain and click “Create a GPO in this domain, and Link it here…”.
  • Step 3 – Create a new GPO dialog box appears on the screen. Enter a new GPO name.
  • Step 4 – Go to the new GPO, right-click on it, and select “Edit” from the context menu.
  • Step 5 – “Group Policy Management Editor” window appears on the screen.
  • Step 6 – In the navigation pane, go to “Computer Configuration” âž” “Policies” âž” “Windows Settings” âž” “Security Settings” âž” “Local Policies” âž” “Audit Policy”.
  • Step 7 – In the right pane, double-click “Audit logon events” policy to open its properties window.
  • Step 8 – Select the “Success” and “Failure” checkboxes, and click “OK”.
  • Step 9 – Similarly, you have to enable “Success” and “Failure” for “Audit Account Logon Events”.
  • Step 10 – Close “Group Policy Management Editor”.
  • Step 11 – Now, you have to configure this new Group Policy Object (containing this audit policy) on all Active Directory objects including all users and groups. Perform the following steps.
  • In In “Group Policy Management Console”, select the new GPO (containing above change).
  • In “Security Filtering” section in the right panel, click “Add” to access “Select User, Computer or Group” dialog box.
  • Type “Everyone”. Click “Check Names” to validate this entry. Click “OK” to add it and apply on all objects.
  • Step 12 – Close “Group Policy Management Console”.
  • Step 13 – Now, run following command to update GPO.
  • Step 14 – gpupdate /force

3. Check Login and Logoff History in Windows Event Viewer

  • Step 1 – Go to Start âž” Type “Event Viewer” and click enter to open the “Event Viewer” window.
  • Step 2 – In the left navigation pane of “Event Viewer”, open “Security” logs in “Windows Logs”.
  • Step 3 – You will have to look for the following event IDs for the purposes mentioned herein below.Event IDDescription4624A successful account logon event4625An account failed to log on4648A logon was attempted using explicit credentials4634An account was logged off4647User-initiated logoff

For user logon, you have to search for 4624 and 4648 logon event IDs. For failed logon, you have to search for 4625. For logoff events, you have to search for 4634 and 4647.

The following screenshot shows Windows Event ID 4648 for the user logon attempted using explicit credentials.

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE