Auditing User logon and logoff, from the event logs on the domain controllers

[Paul]

I'm trying to build statistics on computer lab usage based on the log
on, log off events registered on AD domain controllers.

On individual machines it's pretty easy to determine what's a logon
and what's a logoff. Logon is event id 528, type 2 and logoff is 538
type 3. Getting that same info from the DC's appears more
complicated. 528 applies to only local logons, so can't use that.
I've found that anyone logging on always generates an event id 673, or
kerberos ticket granted. But what about logoffs? Logging off
generates 538's, but the problem is that I see a bunch a 538's when a
users logs in too. Is there a way to accuratly figure out when
someone logs off?

 

[Herb Martin]

Please keep posting what you find; I for one am interested.

Have you looked at the list of events in the ResKit. For
Win2000 it is in w2000events.mdb.

Also consider that a Kerberos ticket will be generated for
other than logons -- referrals and separate authentication.

 

[Rykel]

The quickest option (given the fun filtering event logs can be) would be to
put a logon and logoff script into AD for each user (thru GP) and just write
whatever details you're needing to a single server-side textfile. We do that
(comma-separating things) so we can just slurp it into Excel/php and analyse
the bejebus out of it. AD-initiated scripts have access to the full set of
environment data (username, computername, etc etc) so you can make quite a
useful database out of it.. ours goes to town and checks stuff like
spyware-ish registry changes, presence of unauthorised software and so on.

~D~