AD logs and PC/IP info

I am trying to determine times a user logged into the domain and from what PC. I guess logs on the domain controller may list successful logon/logoff times, but would they only include the domain username, or would they also include any clues on the PC used to login to the domain? I don't currently have any access to a DC to see what information the logs include?
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
With windows 2008 account logon events are categorized as 4624, 4634 and 4647 and 4768

4624 does tell you about workstation logon details, but do not tell you user details
4634 does tell you about workstation logoff details only
4647 are logoff events
4768 are Kerberos events for users

None of the above events gives you idea about logged on user account on domain

In reality when you enable audit account logon events on default domain controller policy, it should log both user and computer activity related to logon in single event

Hence you can try below
In Default domain controller policy enable "Audit account logon events for success and failure and in advanced audit policy settings in same GPO enable credential validation for success, It might give you both user and computer logon details on domain controller
I have not tested credential validation, however you can test that
pma111Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.