2

I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers.

Auditing logon events can get somewhat tricky, but it can succesfully be done.

My problem: how can I track logoff events?

Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone.

This is a very specific question: is something logged on DCs when a user logs off from a domain workstation?

To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question.

If this can't be done, it's ok; but I need a clear answer on that.

  • Can this be done?
  • If yes, how?
Massimo
  • 68,714
  • 56
  • 196
  • 319

2 Answers2

1

You are correct, they aren't logged on your DC's. However, I believe (but am not positive) that if your auditing is high enough on the DC's, an event is logged when someone disconnects a network drive. So if you are mapping drives for your users, you could potentially track their log offs but looking for that 'dismount' event. Even then, I'm not sure I would want to rely on that. You said you can't deploy scripts, but I'm just mentioning that in case you already are in your environment.

sinping
  • 2,055
  • 14
  • 12
1

Looks like this just can't be done.

Nothing gets logged on DCs when a user logs off, apart from closed network sessions (but they can be closed anytime, not only upon logoffs).

Massimo
  • 68,714
  • 56
  • 196
  • 319