Windows Server domain, user login logging

NotAnalGrap

NotAnalGrap

Assistant to the Regional Leadership Manager
Admin
Joined
Jan 13, 2013
Messages
5,996
So I have a side project and the client is wanting me to be able to provide on demand logs of 2 things:

1. All users accounts currently active in the system (enabled accounts).

2. (more important) Logs every time someone uses their account to login to the domain. I've done some searching and tested some scripts, but I haven't had much luck. I confess that this is a weak point for me. If anyone has any tips I would really appreciate it. Server is running Windows Server 2012 Essentials R2
 
Been awhile since I messed with windows server. I would think it would be in the group policies to do such things natively but I could be wrong. Remember managing these servers is designed to require 6 year 100,000 dollar educations. Nothing is allowed to be easy or make sense. But that feature request you put in 20 years ago for NT 3.51 will surely be in Windows Server 2032 "10 times the price of the base edition"
 
There are log viewers, like Splunk, that do the job. WhatsUp Gold might help. I used to use Splunk and EventLogManager, all of which do this with Active Directory.
 
I will look and see what I can find. Pretty sure you can set the event logs to forward specific events. You can just set that to the logon event.
 
JWR046 said:
I will look and see what I can find. Pretty sure you can set the event logs to forward specific events. You can just set that to the logon event.
Click to expand...

Yeah I got pretty lost in there. Any advice is welcome! You've helped me out before, which has been awesome. No pressure though. =)
 
So I do have audit logging enabled in the group policy, but it doesn't look like anything is generated that logs the actual user that logs in?
Use always says N/A. It also only shows for this computer, not a specific computer on the domain.

upload_2016-3-12_11-17-2.png



upload_2016-3-12_11-23-51.png
 
You got it with the audit policy you enabled. The account name is the user account in domain. It will also show account domain. 4624 and 4634 are the logon and logoff events. What you need to look for is the Logon Type. A type 2 is interactive logon(to a machine etc). We use splunk which is a great reporting tool .

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

I am not sure how big the environment is but check this out. You should be able to add logon type and make something usefull from the script.

https://gallery.technet.microsoft.com/scriptcenter/Export-Windows-event-log-ecdfadfc
 
Speaking in Generic terms here. Use whatever Auditing mode you have listed in your Group Policy Object. Yo You will probably have to create a special Organizational Unit (If you already have account/members made) and link it to that GPO. Also consider making a scheduled task in the Event Viewer. I believe there may be an option there to track any logging activity. Credentials have to be made n order for Event Viewer to pick them up.


What Roles do you have installed on your Server?

*Edit*
I am currently enrolled in a 1 year course involving Computers and Network Technology. And we just recently completed our Server Fundamentals Term. I used the link provided a few times to help me better understand Login Tracking. I hope this helps.
http://www.eventtracker.com/newslet...s-logon-tracks-throughout-the-windows-domain/
 
I wouldnt enable GPO tracking to log activity as your dont get the reportiing capabilities that you are wanting and it also logs to much stuff to the server eating up storage. Splunk is the prefered method and what most people prefer because of the reporting capabilities. If that doesnt work for you let me know and i can probably work something up for you.

Is there any GPMC errors?

The other way is to enable GPO editor client side extension logging but this requires to registry tweaking and if your not familiar with this then you can really mess some things up.

I am by no means a master at this but i do have my CompTIA Network+ and Security+ along with finishing my masters in MIS. Also Certified Network Defense Analyst. I have experience with it and can do it but its always hard when you dont have the actual server in front of you and can see the setup.
 
BTW does this company or client have cloud storage if that is the case then splunk is the definate way to go as you can run splunk as saas and store everything on the cloud keeping the servers clean.
 
Doc did the 1st important step which is configuring the audit logging policy. By default the logging is ridicules and captures system events which fills the event logs. Like I stated earlier the solution depends on the size of the environment. Following authentication events is not a big deal but there is not really an out of box solution. You can also report on last logon but that becomes a little tricky. If you have one server it is a piece of cake. I support a large enterprise and capturing event logging is a huge effort. We currently utilize splunk which has a whole team behind that.
 
I appreciate the feedback guys. This is a pretty small office, 1 server and 9 workstations. Splunk isn't practical due to costs. Just need enough info to be able to comply with HIPPA audit requests. I think I got it sorted using a free version of a reporting tool. It showed that all the auditing I need is indeed being saved to the server.

@JWR046 should I set system events to no? Is there any benefit (or meaning) to leaving them undefined?
 
DocHolliday said:
I appreciate the feedback guys. This is a pretty small office, 1 server and 9 workstations. Splunk isn't practical due to costs. Just need enough info to be able to comply with HIPPA audit requests. I think I got it sorted using a free version of a reporting tool. It showed that all the auditing I need is indeed being saved to the server.

@JWR046 should I set system events to no? Is there any benefit (or meaning) to leaving them undefined?
Click to expand...

I will have to look at how they were set in the GPO. We did this when server 2008 was implemented.
 
You must log in or register to reply here.
Back
Top