Closed

Auditing User logon/logoff events.

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

I have one Domain controller, one ADC with Win2000 Server with SP4 and
others are some clients having win2000 professional OS with SP4.

What is my intention is, i need to track the User login and logoff
information when the users logon / logoff from their client machines then i
should able to see the user logon / logoff information in my Domain
controller Event Viewer.

For that i did enable the "audit logon events" in my Domain Controller -->
Domain controller Security Policy --> security settings --> local policies
--> audit policy..

Then i found some event logs in Domain controller Security event viewers
having event ids 540 and 538. 540 is the successful network logon and 538 is
for logoff.
After 540 event id, immediately its showing 538 event id. I got very
confused about this.. And also i found in some websites they mentioned like
528 for user login and 529 is for user logoff.. But i am not finding those
event ids in my Domain controller event viewer.

I am trying to solve this issue for a long time. But till to now there is no
luck.. If any one knows about this kindly pls inform me.. Thanks in Advance.

Varadarajam.P.V.
7 answers Last reply
More about auditing user logon logoff events
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    What you want to do is to enable auditing of "account logon events" in
    Domain Controller Security Policy" and either do not use auditing of "logon
    events" there or just enable it for failure. Auditing of account logon
    events will record when users logon to the domain. Logon events would only
    show type 3 network logons to the domain controller for when a user/computer
    access a share on the domain controller such as the sysvol share. However
    auditing of account logon events will only display logons for the users -
    not logoffs. To track user logons and logoffs from specific domain computers
    you will need to enable auditing of "logon events" on those domain computers
    which can be done via Group Policy. Those logon/logoff events would be
    recorded in the local security logs of the domain computers. The link below
    may be of help. --- Steve

    http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx


    "Varadarajam" <Varadarajam@discussions.microsoft.com> wrote in message
    news:2F321DCC-6FA4-4570-86D9-9A1491682400@microsoft.com...
    > Hi
    >
    > I have one Domain controller, one ADC with Win2000 Server with SP4 and
    > others are some clients having win2000 professional OS with SP4.
    >
    > What is my intention is, i need to track the User login and logoff
    > information when the users logon / logoff from their client machines then
    > i
    > should able to see the user logon / logoff information in my Domain
    > controller Event Viewer.
    >
    > For that i did enable the "audit logon events" in my Domain Controller -->
    > Domain controller Security Policy --> security settings --> local policies
    > --> audit policy..
    >
    > Then i found some event logs in Domain controller Security event viewers
    > having event ids 540 and 538. 540 is the successful network logon and 538
    > is
    > for logoff.
    > After 540 event id, immediately its showing 538 event id. I got very
    > confused about this.. And also i found in some websites they mentioned
    > like
    > 528 for user login and 529 is for user logoff.. But i am not finding those
    > event ids in my Domain controller event viewer.
    >
    > I am trying to solve this issue for a long time. But till to now there is
    > no
    > luck.. If any one knows about this kindly pls inform me.. Thanks in
    > Advance.
    >
    > Varadarajam.P.V.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven

    Thanks for your response.

    Unfortunately i couldn't able to find what i need.. Actually i did what did
    u say in the document like i enabled "Account logon events" only in domain
    controller security policy for success and failure, and In "Audit logon
    Events" i enabled for failure only like what did u say.

    For the Users group policy i enabled Audit logon events for sucess and
    failure both..

    Then i am getting 672,673 event ids in my domain controllers event viewer.

    672 is for "authentication ticket granted", authentication type is 2. Here
    what did find his when any user is logging fromt their client machine then i
    can see this log in domain controller security log. Immediately i am finding
    673 events 3 more for the same user.. 673 is for "service ticket granted"..
    For logging off i am finding any log

    And suppose if the client lock the system and went away and again he will
    logon the system then i should able find the log in my domain controller
    event viewer.

    And in the client computer event viewer i am not finding any thing in the
    security log after i did like above..

    How about 528 and 529 events..Those are for what ?

    Actually i am fighting with this for the past 15 days. But there is no luck
    till to now..

    Pls help me Steven.. Waiting for your reply.

    Thanks

    Varadarajam.


    "Steven L Umbach" wrote:

    > What you want to do is to enable auditing of "account logon events" in
    > Domain Controller Security Policy" and either do not use auditing of "logon
    > events" there or just enable it for failure. Auditing of account logon
    > events will record when users logon to the domain. Logon events would only
    > show type 3 network logons to the domain controller for when a user/computer
    > access a share on the domain controller such as the sysvol share. However
    > auditing of account logon events will only display logons for the users -
    > not logoffs. To track user logons and logoffs from specific domain computers
    > you will need to enable auditing of "logon events" on those domain computers
    > which can be done via Group Policy. Those logon/logoff events would be
    > recorded in the local security logs of the domain computers. The link below
    > may be of help. --- Steve
    >
    > http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
    >
    >
    > "Varadarajam" <Varadarajam@discussions.microsoft.com> wrote in message
    > news:2F321DCC-6FA4-4570-86D9-9A1491682400@microsoft.com...
    > > Hi
    > >
    > > I have one Domain controller, one ADC with Win2000 Server with SP4 and
    > > others are some clients having win2000 professional OS with SP4.
    > >
    > > What is my intention is, i need to track the User login and logoff
    > > information when the users logon / logoff from their client machines then
    > > i
    > > should able to see the user logon / logoff information in my Domain
    > > controller Event Viewer.
    > >
    > > For that i did enable the "audit logon events" in my Domain Controller -->
    > > Domain controller Security Policy --> security settings --> local policies
    > > --> audit policy..
    > >
    > > Then i found some event logs in Domain controller Security event viewers
    > > having event ids 540 and 538. 540 is the successful network logon and 538
    > > is
    > > for logoff.
    > > After 540 event id, immediately its showing 538 event id. I got very
    > > confused about this.. And also i found in some websites they mentioned
    > > like
    > > 528 for user login and 529 is for user logoff.. But i am not finding those
    > > event ids in my Domain controller event viewer.
    > >
    > > I am trying to solve this issue for a long time. But till to now there is
    > > no
    > > luck.. If any one knows about this kindly pls inform me.. Thanks in
    > > Advance.
    > >
    > > Varadarajam.P.V.
    >
    >
    >
  3. For your purposes it might be worth looking into the NetWrix Logon Reporter(http://netwrix.com/logon_reporter_freeware.html) because it has the freeware edition and it’s easy to use. Rather than dealing with the constant confusion that your current log auditing process is causing, the NetWrix Logon Reporter does all the work for you and provides automated and easy-to-read reports of all logon activity. Logon Reporter is a purpose-built product that automatically consolidates and archives all types of logon events from all Active Directory domain controllers and provides reporting capabilities.
    I hope that helps,
    Stephen Schimmel, product manager, NetWrix Corporation
    www.netwrix.com
  4. Necropost
  5. I wanted to track the user logon and logoff also, but event viewer were to cumbersome with to much info to look through. Here is the solution I found by using a simple logon script which outputs logon info to a text file:

    http://ittrenches.com/?p=7
  6. Quote:
    interesting info, but I prefer to use Logon Sentry


    Sorry, you are in a wrong section. We are talking about corporate domain environment with windows servers/clients and lots of users.
  7. This topic has been closed by Mousemonkey
Ask a new question

Read More

Security Domain Controller Windows