Can Windows logoff events be tracked?

Posted by Massimo on Server Fault See other posts from Server Fault or by Massimo
Published on 2010-04-22T11:45:38Z Indexed on 2010/04/22 11:53 UTC
Read the original article Hit count: 320

I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers.

Auditing logon events can get somewhat tricky, but it can succesfully be done.

My problem: how can I track logoff events?

Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone.

This is a very specific question: is something logged on DCs when a user logs off from a domain workstation?

To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question.

If this can't be done, it's ok; but I need a clear answer on that.

  • Can this be done?
  • If yes, how?

© Server Fault or respective owner

Related posts about active-directory

Related posts about auditing