Announcement

Collapse
No announcement yet.

Active Directory Auditing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Auditing

    Hi

    This is my first post so please be gentle.

    I work a large company and we currently have around 2000 users who all access the same domain.

    I was asked earlier this week by our HR dept if we could pull off all the login times for one particular user for the month of June. I can quite easily pull off the last login for the user although when it comes to going back historically to get a login time for each day in June I am at a loss as the best way to do this, or if its possible.

    I can archive the security event log, but it would mean trawling through the logs each time I asked a question like this. Are there any better solutions/strategies that you aware of for auditing within AD?

    Any thoughts/suggestions would be appreciated.
    Thanks
    Martin

  • #2
    Re: Active Directory Auditing

    I don't think you will get any joy from the security logs anyway to be honest, I certainly haven't ever been able to get a definitive list of when a user actually logged on to a PC rather than just whenever they accessed a network resource (see my thread here: http://social.technet.microsoft.com/...f-6b9a6c23f3c5 )

    The most common way of doing this seems to just be to use a logon script for all users that writes the current user's name, current date/time, and the PC name to a text file or database on the network. I don't particularly like this because there is nothing stopping a user from editing this file/database if they knew where it was (they have to have permission to write to it because the logon script will be running in their security context).

    There are third party products that will do this kind of thing but no decent free ones that I'm aware of. Here's one that I've looked at in the past: http://www.netwrix.com/logon_reporter_freeware.html
    Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

    My blog: http://cjwdev.wordpress.com

    Comment


    • #3
      Re: Active Directory Auditing

      Logons are checked using audit "account logons", whereas resource access is from "logon" events.

      Auditing will need to be checked on each domain controller, and obviously must be enabled in advance!

      Look at tools like SCOM or GFI's Event Manager (other tools exist) to centralise storage and monitoring
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Active Directory Auditing

        Thanks for the suggestions guys, much appreciated. I will do some reading on the links you provided but this certainly gives me a better idea of how to go about this.

        Comment


        • #5
          Re: Active Directory Auditing

          Originally posted by Ossian View Post
          Logons are checked using audit "account logons", whereas resource access is from "logon" events.
          If you take a look at that thread of mine on Technet that I linked to, you'll see I did enable Account Logons auditing and still only ever got an interactive logon audit logged when I actually logged on to the DC directly (via RDP) and not when a user logged on to their computer. I've also checked on our production network (which also has account logons auditing enabled) and the same is true there.
          Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

          My blog: http://cjwdev.wordpress.com

          Comment


          • #6
            Re: Active Directory Auditing

            Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. For example, the audit log can show that Joe modified his favorite drink attribute in the directory, but it cannot show his previous favorite drinks or what the attribute was after he changed.
            [MOD EDIT] plagiarised from http://technet.microsoft.com/en-us/l...07(WS.10).aspx[/MOD EDIT]
            Since your company size is 2000, its better to use some third party software.
            Last edited by Ossian; 9th September 2011, 10:37. Reason: re check

            Comment

            Working...
            X