Can Windows logoff events be tracked?
Posted
by Massimo
on Server Fault
See other posts from Server Fault
or by Massimo
Published on 2010-04-22T11:45:38Z
Indexed on
2010/04/22
11:53 UTC
Read the original article
Hit count: 320
I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers.
Auditing logon events can get somewhat tricky, but it can succesfully be done.
My problem: how can I track logoff events?
Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone.
This is a very specific question: is something logged on DCs when a user logs off from a domain workstation?
To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question.
If this can't be done, it's ok; but I need a clear answer on that.
- Can this be done?
- If yes, how?
© Server Fault or respective owner