exhuser
asked on
Record User Logon/Logoff Activity in AD
Hello,
I would like to monitor user login activity including when the user simply locks a workstation.
I downloaded Microsoft Log Parser, but for some it does not work against the Security log on the domain controller. The Parser, however, works against the System log on the same controller. Any ideas?
Any other solutions to monitor and audit the user activity?
Thank you.
I would like to monitor user login activity including when the user simply locks a workstation.
I downloaded Microsoft Log Parser, but for some it does not work against the Security log on the domain controller. The Parser, however, works against the System log on the same controller. Any ideas?
Any other solutions to monitor and audit the user activity?
Thank you.
ASKER
I am using Windows XP and Windows 7.
Would you have the exact syntax for the command?
Thanks.
Would you have the exact syntax for the command?
Thanks.
There is no direct way to check the same if auditing is enabled you can check the DC event log to track the same.
Instead of checking the eventvwr with too much info to look through you can use a simple logon/logoff script which outputs logon info to a text file.
How to track users logon/logoff
http://support.microsoft.com/kb/556015
If the account is getting locked then On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.
Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx
You can also set the debug flag on NetLogon to track authentication. "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626
Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
Instead of checking the eventvwr with too much info to look through you can use a simple logon/logoff script which outputs logon info to a text file.
How to track users logon/logoff
http://support.microsoft.com/kb/556015
If the account is getting locked then On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.
Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx
You can also set the debug flag on NetLogon to track authentication. "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626
Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
ASKER
Has anybody used Microsoft Log Parse 2.2 for this?
I am trying to see why it would not work against domain controller\Security option, where I can run the same (or similar) query against domain controller\System?
Thanks
I am trying to see why it would not work against domain controller\Security option, where I can run the same (or similar) query against domain controller\System?
Thanks
Ok so here is an example and a link to help you better understand.
logparser "select EventID, TimeWritten, Message from security where
(EventID = 675 and EXTRACT_TOKEN(Strings,4,'|
(EventID = 681 and EXTRACT_TOKEN(Strings,3,'|
order by EventID, TimeWritten"
you can simply run this against the DC.
Here is an old article on using it:
http://windowsitpro.com/systems-management/access-denied-using-log-parser-audit-domain-logons
A primer on logparser:
http://www.orcsweb.com/blog/desiree/how-to-use-log-parser-to-query-event-log-data/
A good third party solution:
http://www.intersectalliance.com/projects/SnareWindows/index.html
logparser "select EventID, TimeWritten, Message from security where
(EventID = 675 and EXTRACT_TOKEN(Strings,4,'|
(EventID = 681 and EXTRACT_TOKEN(Strings,3,'|
order by EventID, TimeWritten"
you can simply run this against the DC.
Here is an old article on using it:
http://windowsitpro.com/systems-management/access-denied-using-log-parser-audit-domain-logons
A primer on logparser:
http://www.orcsweb.com/blog/desiree/how-to-use-log-parser-to-query-event-log-data/
A good third party solution:
http://www.intersectalliance.com/projects/SnareWindows/index.html
ASKER
Again, I am getting "WARNING: Input format not specified - using TEXTLINE input format.
Error: WHERE clause: Syntax Error: unknown field 'eventid' with Security events
However, when I run the same against System events it works....
Error: WHERE clause: Syntax Error: unknown field 'eventid' with Security events
However, when I run the same against System events it works....
It might be a matter of syntax, here is a very clear example:
http://technet.microsoft.com/en-us/library/ee692659.aspx
The ones on the left are pre-win7 / vista (e.g XP)
Here is a list of the event IDs
512 / 4608 STARTUP
513 / 4609 SHUTDOWN
528 / 4624 LOGON
538 / 4634 LOGOFF
551 / 4647 BEGIN_LOGOFF
N/A / 4778 SESSION_RECONNECTED
N/A / 4779 SESSION_DISCONNECTED
N/A / 4800 WORKSTATION_LOCKED
* / 4801 WORKSTATION_UNLOCKED
N/A / 4802 SCREENSAVER_INVOKED
N/A / 4803 SCREENSAVER_DISMISSED
http://technet.microsoft.com/en-us/library/ee692659.aspx
The ones on the left are pre-win7 / vista (e.g XP)
Here is a list of the event IDs
512 / 4608 STARTUP
513 / 4609 SHUTDOWN
528 / 4624 LOGON
538 / 4634 LOGOFF
551 / 4647 BEGIN_LOGOFF
N/A / 4778 SESSION_RECONNECTED
N/A / 4779 SESSION_DISCONNECTED
N/A / 4800 WORKSTATION_LOCKED
* / 4801 WORKSTATION_UNLOCKED
N/A / 4802 SCREENSAVER_INVOKED
N/A / 4803 SCREENSAVER_DISMISSED
ASKER
Again, it works if I type this command:
logparser -o:csv "select * into c:\temp\my
test.csv from \\DC1\system where eventid='XXX'"
However, when
logparser -o:csv "select * into c:\temp\my
test.csv from \\DC1\security where eventid='YYY'"
And the events XXX and YYY events are in the event logs
logparser -o:csv "select * into c:\temp\my
test.csv from \\DC1\system where eventid='XXX'"
However, when
logparser -o:csv "select * into c:\temp\my
test.csv from \\DC1\security where eventid='YYY'"
And the events XXX and YYY events are in the event logs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am a member of Domain Admin group.
If you are running this as administrator and still having issues I'm not sure what might be the issue here.
I would try right clicking the window and run as administrator and see if we get the same error.
By default, an ordinary user does not have permission to read the security log
(This seems to be an issue of permissions since it works for system logs)
I would try right clicking the window and run as administrator and see if we get the same error.
By default, an ordinary user does not have permission to read the security log
(This seems to be an issue of permissions since it works for system logs)
ASKER
This isshue is still not resolved
Can you tell me if this works for you:
You have to run from a powershell window.
Get-WinEvent -LogName security -computername servename
If that does I can whip something together so you can query for the events that track logon and logoff.
You have to run from a powershell window.
Get-WinEvent -LogName security -computername servename
If that does I can whip something together so you can query for the events that track logon and logoff.
ASKER
I guess this was the problem, even though I am a member of Domain Admins group.
If win7 or greater:
Parse for the following event IDs
4800 The workstation was locked.
4801 The workstation was unlocked.
If auditing is not enabled you will not see the above entries so verify login event auditing is enabled as shown below.
secpol.msc local policies - audit policy - you can select the events you want to audit there.
Audit Other Logon/Logoff Events
http://technet.microsoft.com/en-us/library/dd772658(WS.10).aspx