YMartin
asked on
Need to log user logins on DC 2008R2
Default DC policy is set to log Audit account logon events and audit logon events in policies,windows settings, security settings,local policies, audit policy.
Yet the Security windows log shows no logon events despite hundreds of logon events occurring each day.
I need to be able to list users who logged onto a terminal server as well as each time a user logs in at a workstation.
I am seeing lockout events but not logon success or failure.
I would also need to track logins on IIS sites like OWA and another app.
GPresult does show the policy is applied.
RSOP shows the above settings are applied from the correct policy.
I have been through several tutorials which state the above settings should do what I am looking for. Any help would be appreciated.
Yet the Security windows log shows no logon events despite hundreds of logon events occurring each day.
I need to be able to list users who logged onto a terminal server as well as each time a user logs in at a workstation.
I am seeing lockout events but not logon success or failure.
I would also need to track logins on IIS sites like OWA and another app.
GPresult does show the policy is applied.
RSOP shows the above settings are applied from the correct policy.
I have been through several tutorials which state the above settings should do what I am looking for. Any help would be appreciated.
ASKER
Thanks arnold,
I had used the logon script however there are some instances where it has failed to log users. I had not traced it down but a good percentages of logons were not getting logged by the script.
I think for the SNMP traps to work the events need to be present in the server logs.
My problem is getting the events to appear in the event log at all. Any idea why no events are appearing?
I had used the logon script however there are some instances where it has failed to log users. I had not traced it down but a good percentages of logons were not getting logged by the script.
I think for the SNMP traps to work the events need to be present in the server logs.
My problem is getting the events to appear in the event log at all. Any idea why no events are appearing?
A GPO usually applies when the DC is within a reasonable distance. A user that uses a laptop that is joined to the domain can login into it without having access to the network. When the user connects to the network, access to the resources on the network will be granted.
You need to define your scenario.
Do you have multiple DCs? are you scanning all the available DCs?
Are the systems you are discussing STATIONARY non mobile and are always on the LAN?
You setup two logging events. one Domain GPO based LOGIN and another Local Policy login meaning
when the system is on the LAN there are two records local log file and Domain log file.
When the system starts up and is on the LAN, you can have a Computer GPO that will copy/process the local login record to a shared/DB.
i.e. I use the laptop login/logout...
three days later I am in the office, when I boot the system while connected on the lan, the computer startup script will process the local login/logout file and add the records within to the database. Flat file will mean it will append out of order
today's entry
prior days entries from my system..........
You need to define your scenario.
Do you have multiple DCs? are you scanning all the available DCs?
Are the systems you are discussing STATIONARY non mobile and are always on the LAN?
You setup two logging events. one Domain GPO based LOGIN and another Local Policy login meaning
when the system is on the LAN there are two records local log file and Domain log file.
When the system starts up and is on the LAN, you can have a Computer GPO that will copy/process the local login record to a shared/DB.
i.e. I use the laptop login/logout...
three days later I am in the office, when I boot the system while connected on the lan, the computer startup script will process the local login/logout file and add the records within to the database. Flat file will mean it will append out of order
today's entry
prior days entries from my system..........
run auditpol /get /category:* and check you are auditing success and failure on all logon related audits.
better do that on your domain controllers.
better do that on your domain controllers.
ANY logon attempt is recorded in the security log on the DC.
Usually the audit policy is to record said events on the systems to which the user logs in.
user logs into workstation, workstation sends authentication/authorizati on request to the DC. the DC records the request from workstation about a login attempt of user.
The audit policy will mean that the workstation's security log will also reflect the login attempt.
Usually the audit policy is to record said events on the systems to which the user logs in.
user logs into workstation, workstation sends authentication/authorizati
The audit policy will mean that the workstation's security log will also reflect the login attempt.
ASKER
I think I need to simplify the question.
I have set this setting:
https://technet.microsoft. com/en-us/ library/cc 976395.asp x
and this setting:
https://technet.microsoft. com/en-us/ library/cc 976367.asp x
Yet no entries of any value appear in the event log. The description states
I am expecting these events and they do not appear with the exception of 4625 which is "Account Lockout". https://technet.microsoft. com/en-us/ library/dd 941635(v=w s.10).aspx
There are no logon events. There are 4 logoff events but all of them are for the "system" account and not users logging into workstations.
The users are logging on and off all the time but no logging is taking place.
I have set this setting:
https://technet.microsoft.
and this setting:
https://technet.microsoft.
Yet no entries of any value appear in the event log. The description states
if success auditing for account logon events is enabled on a domain controller, then an entry is logged for each user validated against that domain controller even though the user is actually logging on to a workstation that is joined to the domain.
I am expecting these events and they do not appear with the exception of 4625 which is "Account Lockout". https://technet.microsoft.
There are no logon events. There are 4 logoff events but all of them are for the "system" account and not users logging into workstations.
The users are logging on and off all the time but no logging is taking place.
I understand what you say, can you please run the command I gave you on your domain controllers and post the output?
ASKER
Our posts crossed in submission. Here is the result. It does seem to indicate that logging is not enabled for logon or logoff. I would sure like to find out where to turn it on.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System Success
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Nadav,
Auditpol now shows Logon/Logoff as being audited and Logon/Logoff events are rolling in.
Auditpol now shows Logon/Logoff as being audited and Logon/Logoff events are rolling in.
Glad I could help, thanks for the feedback.
User configuration, security settings, logon script
@echo off
echo "user %username% logged in on %computer%" >> \\shareserver\share\everyo
You can add date, from where, etc.
You could use a vbscript that will revord this same data in a database.
You can also have a logout script to record the event when user logs off. Note if the user resumes a session, that will not be reflected, the event type will distinguish among the variable options.
If you have snmptrap server, adding SNMP to all the DCs, using evntwin to map the eventlog security events of interest to SNMP traps
On the snmptrap server you can process the incoming traps extracting the user, time, source, (server requesting authentication confirmation) connection source of user, and type of connection. I.e network, login, logout, access to a resource, resuming a session etc..........