Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » tracking user log on | log off
tracking user log on | log off [message #162027] Tue, 13 October 2009 14:48 Go to next message
Cary Shultz  is currently offline Cary Shultz  United States
Messages: 127
Registered: August 2009
Senior Member
Good afternoon!

Somewhat simple request, but having issues finding a way to do this with a
fairly strong degree of certainty. A couple of things first:

1) WIN2003 Server...DFL is WIN2003 FFL is WIN2003
2) Multiple DCs in multiple Sites
3) Account Logon auditing is enabled in the DDCP
4) Security Logs on DCs increased to 256MB (do not want to go much
bigger)....holds five or six days worth of data
5) Terminal Server environment...pretty much everyone uses Terminal Server
all day long....Account Logon auditing is enabled via GPO linked to the OU
in which the TS Boxes reside...
6) Security Logs increased to 256MB on the TS boxes as well (this holds lots
more - in terms of days).

I *think* that I know about this....

Look for the 528/540s for the logon and the 538 for the log offs in the
Security Logs on the Domain Controllers. Specifically looking for logon
type 10 (Terminal Server). I have lots of 528/540 for the user in question.
Lots. I also have lots of 538s as well. The IP Address of the machine
listed in the EventID is - as expected - the IP Address(es) of the Terminal
Server(s). Funny thing is that the 538 happens about 15 seconds after the
528/540. So, based on what I have found here the user logs on to the
Terminal Server and essentially immediately logs off? That makes no sense.

So, I go to the Terminal Servers and look for the 528/560s (logon) and the
551/538s (logoff). The IP Address of the machine listed is that of her
workstation (or, in this case, Thin Client). This all makes a lot more
sense. The logon is, for example, around 8:30AM and the log off is, for
example, around 5:15PM. And, there are not literally 25 different times of
day for the log on and 25 different times of day for log off.....pretty much
just the one set of logon events and one set of the logoff events....

Now, I also *think* that I know that logoffs are not so reliably
'monitored'....as per the following link:

http://blogs.msdn.com/ericfitz/archive/2007/05/08/the-troubl e-with-logoff-events.aspx

So, finally my question: how do you all monitor/track/report user logon and
logoff activity? Or, do you? This specific client likes this
reporting/monitoring stuff....all kinds of requests for this type of stuff.

Thanks,

Cary
Re: tracking user log on | log off [message #162031 is a reply to message #162027] Tue, 13 October 2009 17:21 Go to previous message
Jorge Silva  is currently offline Jorge Silva  Portugal
Messages: 398
Registered: July 2009
Senior Member
Hi
- As you already know, clients do not maintain a constant connection to AD,
they' authenticate to a DC and get their Token and they're left by their
own.
- To monitor local sessions, AD logons, etc.. You may need a more efficient
third party tool, Terminal sessions you have the TS manager that allows you
to check which users are logged at a given time. If you want you may also
check for custom scripts or/and the use with SCOM in order to get custom
reporting, etc...

--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.



"Cary Shultz" <cshultz@outsourceit.com> wrote in message
news:#nTs6ZETKHA.5164@TK2MSFTNGP02.phx.gbl...
> Good afternoon!
>
> Somewhat simple request, but having issues finding a way to do this with a
> fairly strong degree of certainty. A couple of things first:
>
> 1) WIN2003 Server...DFL is WIN2003 FFL is WIN2003
> 2) Multiple DCs in multiple Sites
> 3) Account Logon auditing is enabled in the DDCP
> 4) Security Logs on DCs increased to 256MB (do not want to go much
> bigger)....holds five or six days worth of data
> 5) Terminal Server environment...pretty much everyone uses Terminal Server
> all day long....Account Logon auditing is enabled via GPO linked to the OU
> in which the TS Boxes reside...
> 6) Security Logs increased to 256MB on the TS boxes as well (this holds
> lots more - in terms of days).
>
> I *think* that I know about this....
>
> Look for the 528/540s for the logon and the 538 for the log offs in the
> Security Logs on the Domain Controllers. Specifically looking for logon
> type 10 (Terminal Server). I have lots of 528/540 for the user in
> question. Lots. I also have lots of 538s as well. The IP Address of the
> machine listed in the EventID is - as expected - the IP Address(es) of the
> Terminal Server(s). Funny thing is that the 538 happens about 15 seconds
> after the 528/540. So, based on what I have found here the user logs on
> to the Terminal Server and essentially immediately logs off? That makes
> no sense.
>
> So, I go to the Terminal Servers and look for the 528/560s (logon) and the
> 551/538s (logoff). The IP Address of the machine listed is that of her
> workstation (or, in this case, Thin Client). This all makes a lot more
> sense. The logon is, for example, around 8:30AM and the log off is, for
> example, around 5:15PM. And, there are not literally 25 different times
> of day for the log on and 25 different times of day for log off.....pretty
> much just the one set of logon events and one set of the logoff events....
>
> Now, I also *think* that I know that logoffs are not so reliably
> 'monitored'....as per the following link:
>
> http://blogs.msdn.com/ericfitz/archive/2007/05/08/the-troubl e-with-logoff-events.aspx
>
> So, finally my question: how do you all monitor/track/report user logon
> and logoff activity? Or, do you? This specific client likes this
> reporting/monitoring stuff....all kinds of requests for this type of
> stuff.
>
> Thanks,
>
> Cary
>
>
Previous Topic:How to make complex LDAP query
Next Topic:Cleaning up DSGET group command output
Goto Forum:
  


Current Time: Fri Jan 19 00:44:52 MST 2018

Total time taken to generate the page: 0.02106 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software