Link to home
Start Free TrialLog in
Avatar of YMartin
YMartin

asked on

Need to log user logins on DC 2008R2

Default DC policy is set to log Audit account logon events and audit logon events in policies,windows settings, security settings,local policies, audit policy.

Yet the Security windows log shows no logon events despite hundreds of logon events occurring each day.  

I need to be able to list users who logged onto a terminal server as well as each time a user logs in at a workstation.  

I am seeing lockout events but not logon success or failure.  

I would also need to track logins on IIS sites like OWA and another app.

GPresult does show the policy is applied.
RSOP shows the above settings are applied from the correct policy.

I have been through several tutorials which state the above settings should do what I am looking for.  Any help would be appreciated.
Avatar of arnold
arnold
Flag of United States of America image

Create a user GPO
User configuration, security settings, logon script
@echo off

echo "user %username% logged in on %computer%" >> \\shareserver\share\everyone_writeable.log

You can add date, from where, etc.
You could use a vbscript that will revord this same data in a database.
You can also have a logout script to record the event when user logs off.  Note if the user resumes a session, that will not be reflected, the event type will distinguish among the variable options.

If you have snmptrap server, adding SNMP to all the DCs, using evntwin to map the eventlog security events of interest to SNMP traps
On the snmptrap server you can process the incoming traps extracting the user, time, source, (server requesting authentication confirmation) connection source of user, and type of connection. I.e network, login, logout, access to a resource, resuming a session etc..........
Avatar of YMartin
YMartin

ASKER

Thanks arnold,

I had used the logon script however there are some instances where it has failed to log users.  I had not traced it down but a good percentages of logons were not getting logged by the script.  

I think for the SNMP traps to work the events need to be present in the server logs.  

My problem is getting the events to appear in the event log at all.  Any idea why no events are appearing?
A GPO usually applies when the DC is within a reasonable distance. A user that uses a laptop that is joined to the domain can login into it without having access to the network. When the user connects to the network, access to the resources on the network will be granted.

You need to define your scenario.

Do you have multiple DCs? are you scanning all the available DCs?
Are the systems you are discussing STATIONARY  non mobile and are always on the LAN?

You setup two logging events. one Domain GPO based LOGIN and another Local Policy login meaning
when the system is on the LAN there are two records local log file and Domain log file.
When the system starts up and is on the LAN, you can have a Computer GPO that will copy/process the local login record to a shared/DB.
i.e. I use the laptop login/logout...

three days later I am in the office, when I boot the system while connected on the lan, the computer startup  script will process the local login/logout file and add the records within to the database.  Flat file will mean it will append out of order
today's entry
prior days entries from my system..........
run auditpol /get /category:* and check you are auditing success and failure on all logon related audits.
better do that on your domain controllers.
ANY logon attempt is recorded in the security log on the DC.
Usually the audit policy is to record said events on the systems to which the user logs in.

user logs into workstation, workstation sends authentication/authorization request to the DC. the DC records the request from workstation about a login attempt of user.
The audit policy will mean that the workstation's security log will also reflect the login attempt.
Avatar of YMartin

ASKER

I think I need to simplify the question.  

I have set this setting:
https://technet.microsoft.com/en-us/library/cc976395.aspx
and this setting:
https://technet.microsoft.com/en-us/library/cc976367.aspx

Yet no entries of any value appear in the event log.  The description states
if success auditing for account logon events is enabled on a domain controller, then an entry is logged for each user validated against that domain controller even though the user is actually logging on to a workstation that is joined to the domain.

I am expecting these events and they do not appear with the exception of 4625 which is "Account Lockout".  https://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
There are no logon events.  There are 4 logoff events but all of them are for the "system" account and not users logging into workstations.

The users are logging on and off all the time but no logging is taking place.
I understand what you say, can you please run the command I gave you on your domain controllers and post the output?
Avatar of YMartin

ASKER

Our posts crossed in submission.  Here is the result.  It does seem to indicate that logging is not enabled for logon or logoff.  I would sure like to find out where to turn it on.
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   No Auditing
  Logoff                                  No Auditing
  Account Lockout                         Success and Failure
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             Success
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Nadav Solomon
Nadav Solomon

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of YMartin

ASKER

Thank you Nadav,

Auditpol now shows Logon/Logoff as being audited and Logon/Logoff events are rolling in.
Glad I could help, thanks for the feedback.