History of logon times in AD?

windows active-directory

Solution 1:

You can trawl through all Domain Controller logs looking for EventID 672 (Kerberos Authentication Ticket Granted). If you want to be absolutely sure that the user was subsequently successfully logged in you may want to correlate this with a subsequent event with EventID 673 indicating that there was an actual service ticket granted, not just the ticket-granting ticket that 672 tracks. There is a good write up about these and related EventIDs in this Technet Article.

This is about the only way I know of that can allow you to track historical AD logons after the fact at the domain level if you are not using some third party mechanism or script that is already in place. The content of these Events will contain the user name and the ip-address of the system the logon originated from (the specific details of those fields are in the linked article but are obvious when you look at them). It's important to remember that this will only be of use if you have Domain Controller logs that go back far enough and it can be a lot of work if you have a large number of DC's. There is no way to use these events (or any other kerberos related events) to track logoff times as those are not mediated by domain controllers.

At the workstation level you can dig through the logs looking for Event ID 528 Type 2 to track local interactive logons (even those using Domain Accounts) and EventID 538 type 2 to track logoff events which can give you a better idea of the actual times the user spent logged in. The key problem with these is that they are only useful if you know exactly which systems the user logged in from in the first place. The Type field is critical as there will typically be many more EventID 528\538 events of Type 3 that indicate connection\disconnection from network resources such as file shares etc. You can find more information on these events in this Microsoft KB article.

For Windows 2003 functional level domains the AD keeps a consistent copy of the "LastLogonTimeStamp" attribute replicated across all DC's but that will simply tell you the last successful log on time and wont give you any idea of the history of logons.

Related

/usr/bin/sshd isn't linked against PAM on one of my systems. What is wrong and how can I fix it?
2 Domains on 1 server
What does "Where Can I get 40 %?" mean in this context? [closed]
Running a Windows server without an administrator in charge
Question on backups for a very small business
What is the difference between a "technologist" and a "technician"?
Lost modified /etc/hosts file on Amazon EC2 every reboot instance?
Posses vs possession [closed]
How can I restrict SSH access when the source IP is dynamic
Is "A is associated with B" equivalent to "B is associated with A?" [closed]
The most truthful lie there can be? [duplicate]
Ubuntu Upstart Error