• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 67
  • Last Modified:

When a Windows user logs into the Active Directory Domain

I have been asked to find out when a specific user logged in today.  

Management suspects that specific user is punching in, from a phone app; but the same user is not actually on premises.  I have been asked to find out when she has actually logged in today (3/29/22018).  I went to both Active Directory Domain Controllers and Looked in the 'Event Logs' - 'Windows Logs' - 'Security' - logs.

I then searched for the user name and the earliest instance for 3/29/2018 is 8:53 am.  

I have the same results on both Active Directory Domain Controllers.  IS this the best way to see when this user has logged in?  We do not have any other special reporting software.
1 Solution
Lee W, MVPTechnology and Business Process AdvisorCommented:
Best way would be to use a logon script to record actual logons.

We don't know your network or what services are exposed to end users.  

What's the logon type (scroll down the list in General tab).
2 = interactive - that's a logon to the computer (of course, they could have logged in via LogMeIn or something like that... but I don't know what your network has.

See http://techgenix.com/logon-types/
Michael MachieFull-time technical multi-taskerCommented:
I concur wth Lee on the best method (and do not want any points, just giving you another validation to his thoughts and to provide extra info).

Additionally, those logs will show logins to authenticate for email, vpn etc. The logon types, linked above by Lee, are your best clue when using these particular event logs for this purpose. Those same logs should also show the name of the computer the User logged in to, so if they logged into PC #1 and you know PC #1 is their primary desktop PC, then you can assume they logged in locally. If it shows they logged into an RDS server as the PC name then they probably logged in remotely.

Also, if you have a firewall that can track VPN users, then you can reference those logs to see if the user connected to VPN prior to logging into a PC, which would show they were outside the office as well.

Another way to catch someone is to disable RDP for that User on their PC so they cannot remote in and must be onsite.
PkafkasNetwork EngineerAuthor Commented:
There users will be logging into Terminal Servers.

The login type is '3' = Network

is it correct to say that if I check the logs and click on the 'Find People' module to search for the username then it will search for that username and the next instance going down (past).  I would hate to accuse someone of logging in at 8:53 am when they say they are logging in at 8:45 am.  I need to show proof.  is this good enough proof?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Michael MachieFull-time technical multi-taskerCommented:
I've never relied on them as proof of physical User login, only as info for tracking stale workflows and network congestion. Such as with unnecessary connections for copiers, scanners, active sync, HID/prox cards, software defaults, automated tasks, mapped drives etc.
Naveen SharmaCommented:
How to Monitor User Logons in Active Directory Domain:

How to audit who logged into a computer and when:

Hope this helps!
Shaun VermaakTechnical Specialist/DeveloperCommented:
Management suspects that specific user is punching in, from a phone app; but the same user is not actually on premises.
If this is an issue, why allow it?
PkafkasNetwork EngineerAuthor Commented:
The "punch in" option is a 3rd party solution (PayChex) and anyone can download that app.

So is the "Event Viewer" - "Security logs" not a good way to see when someone is logging in?  I would think it is inconvenient for a large organization; but, it should not be inaccurate.  I checked on both AD controllers and they come up with the same time for user.  Is it not a accurate way to see when someone has logged on?
Michael MachieFull-time technical multi-taskerCommented:
It is an accurate way to see when the credentials were used to log into some domain resource. It does not tell you whether or not the user was physically performing the logon function.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Tackle projects and never again get stuck behind a technical roadblock.
Join Now