Auditing User logon/logoff events.

[Guest]

Hi

I have one Domain controller, one ADC with Win2000 Server with SP4 and
others are some clients having win2000 professional OS with SP4.

What is my intention is, i need to track the User login and logoff
information when the users logon / logoff from their client machines then i
should able to see the user logon / logoff information in my Domain
controller Event Viewer.

For that i did enable the "audit logon events" in my Domain Controller -->
Domain controller Security Policy --> security settings --> local policies
--> audit policy..

Then i found some event logs in Domain controller Security event viewers
having event ids 540 and 538. 540 is the successful network logon and 538 is
for logoff.
After 540 event id, immediately its showing 538 event id. I got very
confused about this.. And also i found in some websites they mentioned like
528 for user login and 529 is for user logoff.. But i am not finding those
event ids in my Domain controller event viewer.

I am trying to solve this issue for a long time. But till to now there is no
luck.. If any one knows about this kindly pls inform me.. Thanks in Advance.

Varadarajam.P.V.

 

[Steven L Umbach]

What you want to do is to enable auditing of "account logon events" in
Domain Controller Security Policy" and either do not use auditing of "logon
events" there or just enable it for failure. Auditing of account logon
events will record when users logon to the domain. Logon events would only
show type 3 network logons to the domain controller for when a user/computer
access a share on the domain controller such as the sysvol share. However
auditing of account logon events will only display logons for the users -
not logoffs. To track user logons and logoffs from specific domain computers
you will need to enable auditing of "logon events" on those domain computers
which can be done via Group Policy. Those logon/logoff events would be
recorded in the local security logs of the domain computers. The link below
may be of help. --- Steve

http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx

 

[Guest]

Hi Steven

Thanks for your response.

Unfortunately i couldn't able to find what i need.. Actually i did what did
u say in the document like i enabled "Account logon events" only in domain
controller security policy for success and failure, and In "Audit logon
Events" i enabled for failure only like what did u say.

For the Users group policy i enabled Audit logon events for sucess and
failure both..

Then i am getting 672,673 event ids in my domain controllers event viewer.

672 is for "authentication ticket granted", authentication type is 2. Here
what did find his when any user is logging fromt their client machine then i
can see this log in domain controller security log. Immediately i am finding
673 events 3 more for the same user.. 673 is for "service ticket granted"..
For logging off i am finding any log

And suppose if the client lock the system and went away and again he will
logon the system then i should able find the log in my domain controller
event viewer.

And in the client computer event viewer i am not finding any thing in the
security log after i did like above..

How about 528 and 529 events..Those are for what ?

Actually i am fighting with this for the past 15 days. But there is no luck
till to now..

Pls help me Steven.. Waiting for your reply.

Thanks

Varadarajam.