1

I'm trying to log all the failed and successful logins from my users accounts for audit purposes (only username and time). Is there a way I can do it with my windows active directory?

Diamond
  • 8,791
  • 3
  • 22
  • 37
Rodrigo
  • 11
  • 1

1 Answers1

1

First, make sure auditing is enabled. How to enable Audit Failure logs in Active Directory?

Next, use the Security Event Log, filter for account logon events. (You can start with 4624 (logon) and (4625 (logon failed))

Check out https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx?catid=1 and https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx?catid=2 to figure out which events are useful for the auditing you're trying to accomplish for your organization.

You'll have to filter out service accounts, etc. or just filter in your user accounts. You can do this in the event viewer if you write a custom XML filter.

If you're looking specifically for interactive logins, Event 4624/4625 have "login type" as a field, you'll want to filter for type 2: interactive login. It might be type 3: network login if you're collecting from the DC. (I'm away from the office, someone else please verify, I'm losing my sanity after reading Windows Domain Controller Authentication Logon Logging and Forensics)

See https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/ for how to do that part.

austinian
  • 1,699
  • 2
  • 15
  • 29
  • 1
    You also want to double check that auditing is enabled (use the domain controller GPO). – Joe Feb 08 '16 at 20:33