I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers.
Auditing logon events can get somewhat tricky, but it can succesfully be done.
My problem: how can I track logoff events?
Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone.
This is a very specific question: is something logged on DCs when a user logs off from a domain workstation?
To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question.
If this can't be done, it's ok; but I need a clear answer on that.
- Can this be done?
- If yes, how?