As you stated, the DC does not capture logins on a remote computer with cached credentials, as the computer may not always be physically connected to the domain. Instead, you'll have to check his computer directly while his computer is online.
You can use the Event Viewer or the wevtutil command at a command
prompt to manage event logs on a remote computer.
- Start Event Viewer.
- Click the root node, for example Event Viewer (Local), in the console tree.
- On the Action menu, click Connect to Another Computer
- In the Another computer box, type the name or IP address of the remote computer.
- (Optional) Select Connect as another user, click Set User, enter the User name and Password, and then click OK
- Click OK
Source: Work with Event Logs on a Remote Computer - Microsoft TechNet
Search for Event 4648 - A logon was attempted using explicit credentials on his computer.
As the description says, it is only when a logon uses explicit credentials. This event is generated on logging in or unlocking even with saved credentials (ie: Remote Desktop).
Note: As with any event, you can do additional filtering to remove any automatically generated events (less common with 4648 and username). The GUI (on the Filter tab) provides filtering on some fields. Using the XML tab, you can filter on any field within the event.
4Something to consider potentially would be to make the user accounts use a login script and add some logic in that to have something put into a log file on a hidden share or something. Another thing to consider is to disallow login at specific times for specific accounts in AD Users and Computers if they are not supposed to log in during those times you can actually enforce a policy to prevent that entirely instead of having to dig in a log, find out who did this, report it or talk to them about it, etc. after the fact. Just a couple quick thoughts on the topic. – Pimp Juice IT – 2017-07-07T12:54:00.020
1Do you have more than one DC? If so, you'd have to monitor all of them for logon events unless you can guarantee which DC will be used to authenticate the user. – I say Reinstate Monica – 2017-07-08T18:41:11.997
If your only data source is event log data from a DC, then you do not have access to enough information to capture all relevant logon events. Are you certain you cannot include events captured by the user's workstation in your query? – I say Reinstate Monica – 2017-07-10T16:08:37.827
There are many workstations, i might think in a solution using a log hub, is that posible without using third party tools? – DiegoS – 2017-07-10T18:59:22.233
Diego - You say *"My main goal is to detect when a user access to his computer outside from work hours"* so I'm curious what will be done with this data you gather that has the logins during these non-work hours? Additionally, you could setup a login script to run that if it cannot find the DC or hidden share that it logs to a local log file, & then have logic in there that also states if the hidden share is available, copy over the latest local login file to the same share but a separate subfolder perhaps and have the log name be
%computername%.log
perhaps.This would show cached logins. – Pimp Juice IT – 2017-07-10T20:32:02.987The "out of hour access" is allowed for my users. But, i must monitor if they access a lot. Let's say 1 or 2 access per month is right, but more than 10 is suspicious activity. If the script can write directly in the windows event file that would be awesome, and that would be my answer. – DiegoS – 2017-07-10T20:35:58.520