Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing Logins

Status
Not open for further replies.
Beau71

Beau71

MIS
Jul 18, 2006
87
0
0
US
I need to audit a user to verify when they are logging on to their computer in the morning. I have a program that monitors the Event Logs and will notify me when certain criteria are met.

I am trying to decipher what is considered a log on and I have been unable to successfully search the internet and get a cut and clear answer.

I believe I am going to be looking at either Event ID 538 or 540, but when I have been doing test logons. The Event viewer is flooded with those. How would I distinguish what is an actual login.
 
Sort by date Sort by votes
The following are auditable logon events;

§ 672 An authentication service (AS) ticket was successfully issued and validated
§ 673 A ticket granting service (TGS) ticket was granted
§ 674 A security principal renewed an AS ticket or TGS ticket
§ 675 Pre-authentication failed
§ 676 Authentication Ticket Request Failed
§ 677 A TGS ticket was not granted
§ 678 An account was successfully mapped to a domain account
§ 680 Identifies the account used for the successful logon attempt
§ 681 A domain account log on was attempted
§ 682 A user has reconnected to a disconnected Terminal Services session
§ 683 A user disconnected a Terminal Services session without logging off

Hope this helps
 
Upvote 0 Downvote
I am just looking for the event that is generated from someone after a successful logon. Looking at those i see that maybe 678 is the one? I am not too sure. However, in my security logs I am not seeing anything but the only events i am seeing are 538, 540 and 576.

My Audit settings are as follows:
Audit account logon events - Success, Failure
Audit account management - No auditing
Audit directory service access - No auditing
Audit logon events - Success
Audit object access - No auditing
Audit policy change - No auditing
Audit privilege use - No auditing
Audit process tracking - No auditing
Audit system events - Success
 
Upvote 0 Downvote
540 is a successful network logon (as opposed to local logon), 538 is logoff, and 576 indicates a privilege assignment. In my experience trying to audit using these events is useless, as the system generates them for all kinds of access, not just when the user first logs on in the morning/logs out in the afternoon. I would recommend using logon/logoff scripts to record entries to a CSV file or some type of database. Then what you're looking for can be easily analyzed.
 
Upvote 0 Downvote
You could also use vbs to write to the event log, triggering a custom entry. Taht could be used in a logon script as crobin1 mentioned.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
This is such a simple idea, I don't know why I didn't think of it before. Thank you so much.

For everyone's record, I wrote a Login script that made use of BMAIL.exe.

The script is as follows:
bmail.exe -s <EMAIL SERVERNAME> -t TOADDRESS@domain.com -f LoginAudit@domain.com -b "%username% has logged in." -a Login

I also used group policy to disable Locking the computer so the users are forced to log off at the end of the day.
 
Upvote 0 Downvote
There is also this add-on to Active Directory that creates an extra tab when viewing a User's properties. I forgot the name of the app but if I view User's properties it shows me their last Logon, last Logoff, last Bad logon, logon count, SID and a lot of other useful info. Not sure what kind of network you have though.
 
Upvote 0 Downvote
useracctinfo I think is the dll that displays advanced user account information (time of last logon etc.)
 
Upvote 0 Downvote
It is ACCTINFO.DLL which is part of the Account Lockout Tools download from Microsoft.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
66
RRankin355
RRankin355
kjv1611
  • Locked
  • Question
Two Username Logins Cause Duplicate Listing of DNS/File Server on Cilent Machines?
Replies
0
Views
33
kjv1611
kjv1611
Zych1
  • Locked
  • Question
Second DC not allowing logins
Replies
1
Views
29
Zych1
Zych1
CecilXavier
  • Locked
  • Question
File Level Auditing Too much
Replies
0
Views
17
CecilXavier
CecilXavier
teqmod
  • Locked
  • Question
Printer offline Auditing
Replies
0
Views
18
teqmod
teqmod

Part and Inventory Search

Sponsor

Back
Top