When a Windows user logs into the Active Directory Domain

I have been asked to find out when a specific user logged in today.  

Management suspects that specific user is punching in, from a phone app; but the same user is not actually on premises.  I have been asked to find out when she has actually logged in today (3/29/22018).  I went to both Active Directory Domain Controllers and Looked in the 'Event Logs' - 'Windows Logs' - 'Security' - logs.

I then searched for the user name and the earliest instance for 3/29/2018 is 8:53 am.  

I have the same results on both Active Directory Domain Controllers.  IS this the best way to see when this user has logged in?  We do not have any other special reporting software.
PkafkasNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Best way would be to use a logon script to record actual logons.

We don't know your network or what services are exposed to end users.  

What's the logon type (scroll down the list in General tab).
2 = interactive - that's a logon to the computer (of course, they could have logged in via LogMeIn or something like that... but I don't know what your network has.

See http://techgenix.com/logon-types/
Michael MachieIT SupervisorCommented:
I concur wth Lee on the best method (and do not want any points, just giving you another validation to his thoughts and to provide extra info).

Additionally, those logs will show logins to authenticate for email, vpn etc. The logon types, linked above by Lee, are your best clue when using these particular event logs for this purpose. Those same logs should also show the name of the computer the User logged in to, so if they logged into PC #1 and you know PC #1 is their primary desktop PC, then you can assume they logged in locally. If it shows they logged into an RDS server as the PC name then they probably logged in remotely.

Also, if you have a firewall that can track VPN users, then you can reference those logs to see if the user connected to VPN prior to logging into a PC, which would show they were outside the office as well.

Another way to catch someone is to disable RDP for that User on their PC so they cannot remote in and must be onsite.
PkafkasNetwork EngineerAuthor Commented:
There users will be logging into Terminal Servers.

The login type is '3' = Network

is it correct to say that if I check the logs and click on the 'Find People' module to search for the username then it will search for that username and the next instance going down (past).  I would hate to accuse someone of logging in at 8:53 am when they say they are logging in at 8:45 am.  I need to show proof.  is this good enough proof?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Michael MachieIT SupervisorCommented:
I've never relied on them as proof of physical User login, only as info for tracking stale workflows and network congestion. Such as with unnecessary connections for copiers, scanners, active sync, HID/prox cards, software defaults, automated tasks, mapped drives etc.
Naveen SharmaCommented:
How to Monitor User Logons in Active Directory Domain:

How to audit who logged into a computer and when:

Hope this helps!
Shaun VermaakTechnical Specialist IVCommented:
Management suspects that specific user is punching in, from a phone app; but the same user is not actually on premises.
If this is an issue, why allow it?
PkafkasNetwork EngineerAuthor Commented:
The "punch in" option is a 3rd party solution (PayChex) and anyone can download that app.

So is the "Event Viewer" - "Security logs" not a good way to see when someone is logging in?  I would think it is inconvenient for a large organization; but, it should not be inaccurate.  I checked on both AD controllers and they come up with the same time for user.  Is it not a accurate way to see when someone has logged on?
Michael MachieIT SupervisorCommented:
It is an accurate way to see when the credentials were used to log into some domain resource. It does not tell you whether or not the user was physically performing the logon function.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.