How to Audit Who Logged into a Computer and When

IT administrators often need to know who logged on to their computers and when for security and submission reasons. Although you can use the native audit methods supplied through Windows to track user account logon and logoff events, you may end up having to sift through thousands of records to reach the ask log. Once you ’ ve found the command log, getting the want information for conformity and security reports is not an easy action .
In this article, you will learn how to audit who logged into a computer and when. You will besides learn about an easier manner in which you can audit logon/logoff events with Lepide Active Directory Auditor .

Enable Native Auditing of User Logon/Logoff Events

You can do this through two GPO settings :
Audit Logon Events: This fructify generates events for starting and ending logon sessions. These events happen on the machine where you log in.

Audit Account Logon Events: This mise en scene generates events on the calculator that validates logons. When a domain accountant authenticates a world user account, events are generated and stored on that domain restrainer .
Below are the steps to enable audit of drug user Logon/Logoff events

  • Step 1 – Open “Group Policy Management” console by running the “gpmc.msc” command.
  • Step 2 – If you want to configure auditing for the entire domain, right-click on the domain and click “Create a GPO in this domain, and Link it here…”.
  • Step 3 – Create a new GPO dialog box appears on the screen. Enter a new GPO name.
  • Step 4 – Go to the new GPO, right-click on it, and select “Edit” from the context menu.
  • Step 5 – “Group Policy Management Editor” window appears on the screen.
  • Step 6 – In the navigation pane, go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policies” ➔ “Audit Policy”.
    step1 4Figure : Configuring audit logon events policy
  • Step 7 – In the right pane, double-click “Audit logon events” policy to open its properties window.
  • Step 8 – Select the “Success” and “Failure” checkboxes, and click “OK”.
  • Step 9 – Similarly, you have to enable “Success” and “Failure” for “Audit Account Logon Events”.
  • Step 10 – Close “Group Policy Management Editor”.
  • Step 11 – Now, you have to configure this new Group Policy Object (containing this audit policy) on all Active Directory objects including all users and groups. Perform the following steps.
    • In In “Group Policy Management Console”, select the new GPO (containing above change).
    • In “Security Filtering” section in the right panel, click “Add” to access “Select User, Computer or Group” dialog box.
    • Type “Everyone”. Click “Check Names” to validate this entry. Click “OK” to add it and apply on all objects.

    step2 5Figure : Applied the Group Policy Object to everyone

  • Step 12 – Close “Group Policy Management Console”.
  • Step 13 – Now, run following command to update GPO.
  • Step 14 – gpupdate /force

View the Logon events

After you have configured log on audit, whenever users logon into network systems, the event logs will be generated and stored. To find out the details, you have to use Windows Event Viewer. Follow the below steps to view logon audit events :

  • Step 1 – Go to Start ➔ Type “Event Viewer” and click enter to open the “Event Viewer” window.
  • Step 2 – In the left navigation pane of “Event Viewer”, open “Security” logs in “Windows Logs”.
  • Step 3 – You will have to look for the following event IDs for the purposes mentioned herein below.
    Event ID Description
    4624 A successful account logon event
    4625 An account failed to log on
    4648 A logon was attempted using explicit credentials
    4634 An account was logged off
    4647 User initiated logoff

For exploiter logon, you have to search for 4624 and 4648 event IDs. For fail logon, you have to search for 4625. For logoff events, you have to search for 4634 and 4647.

In this article, we are searching for events 4624 and 4648. The following screenshot shows Windows Event ID 4648 for the user logon attempted using denotative credentials .
step3 5Figure : Logon event in Event Viewer

Use Lepide Active Directory Auditor to audit User Logon/Logoff Events

Using Lepide Active Directory Auditor (part of Lepide Data Security Platform), you can well monitor a exploiter ’ second log on and log off activeness ( avoiding the complexities of native audit ). The solution collects log on information from all added domain controllers mechanically. Its report contains details on logon or logoff events, including when users logged in, from which computer, and when. You get accurate and instant reports on login details of users in the network. The following screenshot shows a successful drug user logon report event captured by Lepide Active Directory Auditor :
Lepide Logon Logoff AD ReportFigure : Successful User logon/logoff report


In this article, the steps to audit the drug user logon and logoff events through native audit are explained. however, much noise is generated for the logon or logoff events that make it complicated for the IT administrators to have a real-time view. The easiest and more effective way to audit the like with Lepide ’ s Active Directory auditing solution has besides been explained. To try Lepide Active Directory Auditor for yourself, download the free trial version nowadays .

reservoir :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.