sherlock1
asked on
Report to show log on and log off timestamp information for an AD user
Hi Experts,
Is it possible to output a report into a csv file that shows the log on and log off timestamp history information of a Windows Active Directory user?
The report is only needed to be filtered for 1 specific AD user and the key information I would like in the output is:
• Username
• Login date/ time
• Logout date / time,
• successful/failed logon status
I believe this information would need to be extracted from the security event logs on each domain controller and had in mind a script such as a PowerShell script (ideally a script that looks at all the DC’s in the domain would be good)
Thanks
Is it possible to output a report into a csv file that shows the log on and log off timestamp history information of a Windows Active Directory user?
The report is only needed to be filtered for 1 specific AD user and the key information I would like in the output is:
• Username
• Login date/ time
• Logout date / time,
• successful/failed logon status
I believe this information would need to be extracted from the security event logs on each domain controller and had in mind a script such as a PowerShell script (ideally a script that looks at all the DC’s in the domain would be good)
Thanks
Question is: how long back would you want to be able to look? Security event logs are limited in size and by default they might only be able to tell for a few weeks. So logon/logoff scripts that write to files would be easy and better suited.
ASKER
Jacob / McKnife - Thanks for your replys. I would like to check as much log on / log of history as possible that is available, if there is only around 2 weeks worth of data then thats ok.
Its the existing history data that already exists that I need and not future log on log data so log on / log scripts to records new data would not be suitable.
I thought AD recorded this information within the security section of the windows event logs on the domain controllers?. If a script needs to be run against each domain controller (about 10 in total) whilst thats not ideal if that's the only option then that would be ok
The Report is not intended for me specifically (its for HR) so i dont know the exact reason for the request and probably wont be able to find out the exact reason and no I dont know the computer name in which the user would normally log onto (im per summing you mean which client computer name here)
Its the existing history data that already exists that I need and not future log on log data so log on / log scripts to records new data would not be suitable.
I thought AD recorded this information within the security section of the windows event logs on the domain controllers?. If a script needs to be run against each domain controller (about 10 in total) whilst thats not ideal if that's the only option then that would be ok
The Report is not intended for me specifically (its for HR) so i dont know the exact reason for the request and probably wont be able to find out the exact reason and no I dont know the computer name in which the user would normally log onto (im per summing you mean which client computer name here)
Look, if you would like to check as much as possible, then establish domain logon/logoff scripts, simple batches, something like this:
->logoff
->logoff
echo %time% on %date%>>\\server\share\logoff\%username%at%computername%.txtecho echo %time% on %date%>>\\server\share\logon\%username%at%computername%.txt
Step 1: Create the following two files using Notepad or your favorite text editor:
——logon.cmd—-
echo logon %username% %computername% %date% %time% >> \\sbs\share\logon.log
—–logoff.cmd—–
echo logoff %username% %computername% %date% %time% >> \\sbs\share\logon.log
Step 2: Update Group Policy to run the appropriate batch file. In Group Policy, go to:
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logon
Step 3: As users log on and off, your log file should look something like this:
logon June VSXP Tue 22/02/2005 10:39:51.12
logoff June VSXP Tue 22/02/2005 10:41:08.45
logon MickM VSXP Tue 22/02/2005 10:42:01.07
logoff MickM VSXP Tue 22/02/2005 10:42:46.81
——logon.cmd—-
echo logon %username% %computername% %date% %time% >> \\sbs\share\logon.log
—–logoff.cmd—–
echo logoff %username% %computername% %date% %time% >> \\sbs\share\logon.log
Step 2: Update Group Policy to run the appropriate batch file. In Group Policy, go to:
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logon
Step 3: As users log on and off, your log file should look something like this:
logon June VSXP Tue 22/02/2005 10:39:51.12
logoff June VSXP Tue 22/02/2005 10:41:08.45
logon MickM VSXP Tue 22/02/2005 10:42:01.07
logoff MickM VSXP Tue 22/02/2005 10:42:46.81
ASKER
Jacob - thanks for future suggestion. However I'd like to check existing log on / log of history for 1 specific AD user as per previous message, not new log on / log of data
Is this is possible?
Is this is possible?
Sure - but do you have a specific computer? Searching against all DCs is going to take a very long time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jacob- no I don't have a specific computer account as per my earlier message
If I need to check against each DC that's ok
McKnife- Thanks for the weblink, does that do log on & log of data?, I guess it outputs results within the poweshell window rather than to a file / csv?
If I need to check against each DC that's ok
McKnife- Thanks for the weblink, does that do log on & log of data?, I guess it outputs results within the poweshell window rather than to a file / csv?
1st, open rsop.msc to see auf auditing is even active and what is audited. If it is not, use the default domain controllers policy to turn it on.
2nd, afterwards, do a gpupdate /target:computer on all DCs
3rd do a test logon and look what events enter the DCs security event log at logon and at logoff
Then, tune the script. It looks for event 4624 now (logon).
If that works, we'll look at the output.
2nd, afterwards, do a gpupdate /target:computer on all DCs
3rd do a test logon and look what events enter the DCs security event log at logon and at logoff
Then, tune the script. It looks for event 4624 now (logon).
If that works, we'll look at the output.
ASKER
Ok, is the remote login type the same as domain logon?
& local login is logging on locally on the client computer?
& local login is logging on locally on the client computer?
Was auditing turned on? Else, you will not be able to look into the past.
About the logon types, see the table at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events and also try it out to see what is logged when.
About the logon types, see the table at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events and also try it out to see what is logged when.
You can also check this article which define the process to audit the successful or failed logon and logoff attempts in the network using the audit policies.
ASKER
McKnife - Auditing is enabled & thanks for the additional weblink
Thanks all for your help. I think I have the info needed now thanks.
Thanks all for your help. I think I have the info needed now thanks.
ASKER
Thanks a lot all for your help on this
Short answer - it's very complex since AD doesn't record this information. Running a script against either the DCs or every computer is going to take time an resources.
What are you trying to find out? Do you know the computer name that the user was logging into?