Auditing domain users logons to computers
Posted on 2013-02-07
We're trying to track which users in the organization are logging in and out of what computers and when.
So as a simple proof-of-concept, I figured I would try auditing what users are logging into and out of our domain controller (so it basically it should be just me).
I've poked around in the audit policy configuration section of the group policies on the server, and I can see that by default, servers should be auditing account logons.
If I go into event viewer and look at the "Security" section of Event Viewer I can indeed see the audit events - 227,000 of them since last week!!
There's all sorts of events in here and I can't make heads or tails of any of it. Clearly it's auditing a lot more than just users logging int othe server, it's auditing every authentication ever made.
.... are there any tools that can help make this easier to decipher or generate reports based on this information?