Active Directory (AD) User Login History refers to the records of when and where users log in and log off within an AD environment. This data includes timestamps, the machines, or domain controllers accessed, and the success or failure of each login attempt. It is essential for tracking user activity, diagnosing issues, and maintaining overall network security. 

Auditing logon and logoff data is crucial for several reasons. They are vital for compliance with regulatory standards, and maintaining security by detecting unauthorized access attempts and potential security breaches. Analyzing this data can reveal compromised accounts, misconfigurations, or suspicious behavior that might indicate an ongoing attack. This article guides you through the process of viewing Active Directory user login history and auditing logon and logoff data.

Understanding AD Login History and Logon/Logoff Data

AD user login history provides detailed information about user authentication events, which can be essential for identifying security incidents, managing user access, and ensuring operational efficiency. Here’s a detailed overview of the various types of AD user login history:

1. Successful Logon Events: Successful logon events provide information about when and where users successfully log into the AD environment. Key details include:

• Event ID 4624: This event ID is used to record successful logons. It includes details such as the username, domain, logon type (interactive, network, batch, etc.), source network address, and the machine name from which the logon occurred.
• Attributes: Key attributes include:
  • Subject: User details of the account that logged on.
  • Logon Type: Indicates the type of logon (e.g., interactive, network, remote interactive).
  • Workstation Name: The name of the computer from which the user logged on.
  • Source Network Address: The IP address of the device used for the logon.

2. Failed Logon Events: Failed logon events are crucial for identifying potential security threats or authentication issues. Key details include:

• Event ID 4625: This event ID logs failed login attempts. It captures information such as the username, domain, failure reason, logon type, source network address, and the machine name from which the logon attempt was made.
• Attributes: Key attributes include:
  • Failure Reason: Provides details on why the logon attempt failed (e.g., bad password, user not found).
  • Account For Which Logon Failed: The username of the account that failed to log in.
  • Logon Type: Indicates the type of logon attempt.
  • Source Network Address: The IP address from which the failed logon attempt originated.

3. Logoff Events: Logoff events help in monitoring when and how users end their sessions. Key details include:

• Event ID 4634: This event ID records logoff events. It includes information about the user who logged off and the logon session ID.
• Attributes: Key attributes include:
  • Logon ID: Identifies the logon session that was terminated.
  • User Name: The username of the account that logged off.
  • Logon Type: Indicates the type of session that was terminated.

4. Account Lockout Events: Account lockout events are important for identifying potential brute-force attacks or unauthorized access attempts.  Key details include:

• Event ID 4740: This event ID records when an account is locked out. It provides details about the user account, the source of the lockout, and the time of the event.
• Attributes: Key attributes include:
  • Account Name: The username of the account that was locked out.
  • Source Network Address: The IP address from which the failed login attempts originated.
  • Lockout Time: The time when the account was locked out.

5. Special Logon Events: Special logon events include scenarios where users access the system in specific ways, such as through remote desktop services or administrative sessions.  Key details include:

• Event ID 4672: This event ID logs special privileges assigned to a user during logon. It includes details about the user and the privileges granted.
• Event ID 4670: This event ID tracks changes in user permissions and special privileges.
• Attributes: Key attributes include:
  • User Name: The username of the account with special privileges.
  • Privileges Assigned: Lists the specific privileges granted during the logon session.

6. Interactive Logon Events: Interactive logon events record when users log on directly to a computer.  Key details include:

• Event ID 4624 (with Logon Type 2): This event ID captures interactive logons, such as those performed directly at a workstation or server.
• Attributes: Key attributes include:
  • Workstation Name: The name of the computer where the logon occurred.
  • Logon Type: Indicates that the logon was interactive (i.e., physical access to the computer).

7. Network Logon Events: Network logon events capture user logons performed over a network connection.  Key details include:

• Event ID 4624 (with Logon Type 3): This event ID logs network logons, such as those using file shares or remote access services.
• Attributes: Key attributes include:
  • Source Network Address: The IP address from which the network logon was made.
  • Logon Type: Indicates that the logon was performed over a network.

8. Remote Interactive Logon Event: Remote interactive logon events capture logins made via remote desktop services.  Key details include:

• Event ID 4624 (with Logon Type 10): This event ID logs remote interactive logons, such as those made using Remote Desktop Protocol (RDP).
• Attributes: Key attributes include:
  • Workstation Name: The name of the remote computer used for the logon.
  • Source Network Address: The IP address of the remote device.

9. Account Logon Events: Account logon events provide details about authentication attempts at the domain level, including initial logon and subsequent authentication attempts. Key details include: 

• Event ID 4768: This event ID logs Kerberos Ticket Granting Ticket (TGT) requests. It includes details about the user and the ticket request.
• Event ID 4769: This event ID logs Service Ticket requests. It captures details about requests for access to specific services.
• Attributes: Key attributes include:
  • Ticket Information: Details about the Kerberos tickets issued.
  • Service Name: The service for which the ticket was requested.

10. Logon/Logoff Summarization and Reports: Summarizing and reporting on logon and logoff activities helps in visualizing patterns and trends.  Key details include:

• Custom Reports: Reports can be generated using tools like Event Viewer, PowerShell scripts, or third-party reporting tools to summarize logon activity, failed logon attempts, and session durations.

Configuring Active Directory for Auditing

In this section, we’ll guide you through configuring Active Directory for auditing. We’ll cover enabling auditing through Group Policy, setting up advanced audit policy configurations, and verifying that the auditing settings are working correctly. By following these steps, administrators can ensure comprehensive monitoring of user activities, system changes, and potential security threats.

Enable Auditing in Group Policy

1. Access Group Policy Management:: Open the Group Policy Management Console (GPMC) on a domain controller or a machine with administrative privileges:

• Go to Start > Administrative Tools > Group Policy Management.
• Alternatively, type gpmc.msc in the Run dialog box and press Enter.

2. Edit the Default Domain Policy or Create a New GPO: Choose an existing Group Policy Object (GPO) or create a new one to configure auditing settings.

• Navigate to the desired GPO under Group Policy Objects.
• Right-click the GPO and select Edit.

3. Navigate to Audit Policy Settings: Configure the specific audit policies to monitor logon and logoff events.:

• Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
• Here, you will find various audit settings that can be enabled or configured.

4. Configure Audit Policies: Set policies for auditing logon events, account management, and other relevant activities. Here are the settings to configure:

• Audit Logon Events: Enable both Success and Failure to track successful and failed logon attempts.
• Audit Account Logon Events: Enable this to audit logon events at the account level.
• Audit Account Management: Track changes to user accounts, such as creation, deletion, and modification.

5. Apply the GPO: Ensure the GPO is applied to the relevant Organizational Units (OUs) or domain controllers:

• Link the GPO to the appropriate OU or domain within Group Policy Management.
• Force a Group Policy update by running gpupdate/force on the target machines or waiting for the next policy refresh cycle.

Setup Advanced Audit Policy Configuration

1. Access Advanced Audit Policy Configuration: Advanced Audit Policy provides more granular control over what is logged: Follow the following steps to  access it:

• Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

2. Configure Detailed Audit Policies: Define specific audit policies to capture detailed events. Here are the policies to define:

• Logon/Logoff: Configure policies for detailed logon and logoff event tracking, including account logon, logoff, and special logon types.
• Account Logon: Track events related to authentication and account access.

3. Audit Policy Subcategories: Configure subcategories for more precise auditing. Here are examples:

• Logon/Logoff: Includes events like logon attempts, logoff, and account lockout.
• Account Management: Includes changes to user accounts, password resets, and group membership modifications.

4. Deploy the Settings: Apply the advanced audit settings to the target machines and domain controllers:

• Ensure that the audit policies are correctly deployed by using Group Policy Management.
• Verify settings through Event Viewer to confirm that the intended events are being logged.

Verifying and Monitoring Auditing

Verify Configuration:

• Check Event Viewer: After configuring auditing, use the Event Viewer (eventvwr.msc) to verify that auditing settings are working as expected. Navigate to Windows Logs -> Security to view the generated audit logs.

Monitor and Analyze Logs:

• Regular Review: Regularly review the security logs to identify and respond to potential security incidents. Look for unusual patterns or events that could indicate unauthorized access or policy violations.

Viewing and Analyzing User Login History

Viewing and analyzing user login history and login/logoff data can be achieved using various methods, including built-in Event Viewer, PowerShell, and third-party tools. Below is a detailed guide on how to use each of these methods to view and audit user login history:

Using Event Viewer

Event Viewer is a built-in Windows tool that provides a graphical interface for viewing and auditing event logs, including user login and logoff activities. The following are steps to view user login history and logoff data using Event Viewer:

• Open Event Viewer: Press Win + R, type eventvwr.msc, and press Enter to open the Event Viewer.
• Navigate to Security Logs: In the Event Viewer console, expand Windows Logs and select Security. This section contains the security-related events, including logon and logoff activities.
• Filter Events: To focus on specific logon/logoff events, use the “Filter Current Log” option in the Actions pane. Enter the relevant Event IDs: Event ID 4624 for successful logon, Event ID 4634 for Logoff, and Event ID 4625 for Failed logon.
• View Details: Click on individual events to view detailed information, such as the username, logon type, source IP address, and workstation name.
• Create Custom Views: For recurring tasks, create a custom view by selecting “Create Custom View” in the Actions pane. Define filters and criteria to save and quickly access relevant logon/logoff data.

Using PowerShell

PowerShell is a powerful scripting tool that allows for automated querying and reporting of event logs, including user login history. Here are steps to view user login history and logoff data using PowerShell:

• Open PowerShell: Launch PowerShell as an administrator.
• Query Event Logs: Use the Get-EventLog or Get-WinEvent cmdlet to retrieve logon/logoff events. Here are some example commands to use:
  • Successful Logins: Get-WinEvent -FilterHashtable @{LogName=’Security’; Id=4624} | Format-Table TimeCreated, @{Name=’User’; Expression={$_.Properties[5].Value}}, @{Name=’Source’; Expression={$_.Properties[18].Value}}
  • Failed Logons: Get-WinEvent -FilterHashtable @{LogName=’Security’; Id=4625} | Format-Table TimeCreated, @{Name=’User’; Expression={$_.Properties[5].Value}}, @{Name=’FailureReason’; Expression={$_.Properties[11].Value}}.
  • Logoffs: Get-WinEvent -FilterHashtable @{LogName=’Security’; Id=4634} | Format-Table TimeCreated, @{Name=’User’; Expression={$_.Properties[5].Value}}.
• Export Data: Export the results to a CSV file for further analysis or reporting: Get-WinEvent -FilterHashtable @{LogName=’Security’; Id=4624} | Export-Csv -Path “C:\Logs\Logons.csv” -NoTypeInformation.
• Automate Reports: Create PowerShell scripts to automate the generation of periodic reports on login and logoff activities.

Using Third-Party Tools

For some organizations, especially those with large and complex networks and user base, third-party tools offer more efficient and user-friendly solutions. They provide enhanced functionality for monitoring, analyzing, and reporting user login history and logon/logoff data.

ManageEngine ADAudit Plus – FREE TRIAL

This is where tools like ManageEngine ADAudit Plus come in handy. Just as the name suggests, ADAudit Plus keeps your network safe by monitoring and auditing all user logon and logoff activities and failures. It is a widely used third-party tool that showcases these advantages by offering real-time auditing of AD changes, user login activity, and logon/logoff events. It is a classic example of how third-party solutions can greatly enhance AD auditing capabilities. Its key features include: 

• Track User Logons and Logoffs: Monitor which computer or domain controller users have logged into last, identify their current login locations, and more.
• Track Users’ Logon History: Retrieve comprehensive logon history for individual users over specified periods, including remote logons and failed attempts.
• Map User Logons to a Machine: Generate clear reports showing which users are logged onto which computers and the timing of these logins, useful for breach investigations.
• Stay Updated on Logons and Logoffs: Receive real-time alerts via phone or email for logon failures or suspicious logon activities.
• Free Trial: A free 30-day trial is available on request. 

ManageEngine ADAudit Plus Start a 30-day FREE Trial

Viewing and analyzing AD user login history, as well as login and logoff data, can be efficiently handled through three primary methods: Event Viewer, PowerShell, and third-party tools. ADAudit Plus serves as an excellent example of a third-party tool, but there are many other options available with varying features and capabilities. When choosing a third-party solution, it’s crucial to consider your specific requirements and budget. Ultimately, depending on your organization’s needs, combining these methods can provide a robust approach to monitoring and securing your AD environment.