[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to log the user logon / logff activity on Windows Server 2008 DC

Posted on 2009-12-17
15
Medium Priority
?
2,389 Views
Last Modified: 2012-05-08
Hi;

I would like to keep track the users logon and logoff time on my Windows Server 2K8 DC, I have enable the Logon/Logff audit on Group Policy but when I checked the Security log, the User column is showing "N/A" only.

any idea?
0
Comment
Question by:KANEWONG
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 7

Expert Comment

by:grantsewell
ID: 26073786
Did you set the audit policy in the Default Domain Controller Policy?
0
 
LVL 8

Expert Comment

by:dicconb
ID: 26073814
You need to enable the "Account Logon" and "Account Logoff" audit options in the Default Domain Controllers group policy. Logon and Logon events appear on the actual machine that's being logged on to (eg an XP client), Account Logon events appear on the DC.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26073871
Hi;

I turned it on but still not able to see it under the User column, please see my attached snapshot.
logon.GIF
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Expert Comment

by:grantsewell
ID: 26074045
Event ID 4624 identifies the account that requested the logon - NOT the user who just logged on. The subject is usually N/A or possibly one of the service principals and not usually useful information. Try adding the logon/logoff auditing for the policies affecting your computers, and you should see a difference.

Cheers,

Grant
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26074214
Where can I find the Logon/Logoff policy, is it under Default Domain Policy | Computer Configuration | Policies | windows Settings | Security Settings | Local Policies | Audit Policy?

0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26074257
I have this turned on.
Audit.GIF
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 26074358
The same is enabled in the "Default Domain Controllers Policy", correct?
0
 
LVL 8

Expert Comment

by:dicconb
ID: 26074430
I agree with grantsewell - as we mentioned above, you need to enable "Account Logon" auditing in the "Default Domain Controllers" policy. This is the GPO that is linked to the Domain Controllers OU.
The success/failure events will appear in the Security event log on the domain controller that processed the user's logon.  If you have multiple domain controllers in the site you will need to check the logs on each one in turn.
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26074571
I did. What is the event ID should be if the setting is correct?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 26074624
528 is success logon
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26074920
I found event id is 4624.

An account was successfully logged on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

New Logon:
      Security ID:            DC\BP
      Account Name:            BP
      Account Domain:            DC
      Logon ID:            0x58a8721
      Logon GUID:            {5e7a8d87-d1b6-c8fd-9982-e46ab2c5ae84}
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 26075164
There are alternatives to audit logons then through the event log (which can be a little messy especially if you got more then one DC).

Option 2 in this link is another way: http://support.microsoft.com/kb/556015


SG
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26075796
Using this provided script is one of the alternatives and it works but if the user access to system via VPN, it won't able to log.  In Windows 2003, it can show user name on Security log but in Win 2K8, it doesn't; weird.
0
 
LVL 24

Accepted Solution

by:
Awinish earned 1000 total points
ID: 26080214
In windows 2008 auditing is different & it has to be configred via auditpol.

http://support.microsoft.com/kb/921469/en-us 
http://technet.microsoft.com/en-us/library/cc755264(WS.10).aspx 
 
 
use the auditpol command to disable auditing on file system and Filtering Platform Packet Drop on the vista machines.
 
auditpol /set /subcategory:"file system" /failure:disable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /failure:disable
 
use to command - auditpol /get /category:"Object access" /failure:disable
Description of security events in Windows Vista and in Windows Server 2008
 
http://support.microsoft.com/kb/947226 
0
 
LVL 1

Author Comment

by:KANEWONG
ID: 26084581
good reference.  thanks!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question