What is the best auditing to use to audit user logon/logoff the domain. I
assume that this goes to the DC security log..but what is the best way to
compile this data with multiple DCs? Thanks. Steve

In my experience, MOM / SCOM is the best way, but it is also costly. If you
do not have MOM / SCOM in place, you can use Microsoft's Event Comb tool,
which is free. More information can be found here:
http://support.microsoft.com/kb/308471

Event Comb is included in the Windows Server 2003 resource kit tools. You
can download these tools from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en

--

JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com...

Quote:

What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

I have the resource kit installed on all of our Win2003 SP2 DCs, and have the
Event Comb installed on another windows server--I have used it for account
lockouts. How can I tweak it to give me a list of the logon/logoff for
specific users? thanks. steve


"JPolicelli [MVP-DS]" wrote:

Quote:

In my experience, MOM / SCOM is the best way, but it is also costly. If you do not have MOM / SCOM in place, you can use Microsoft's Event Comb tool, which is free. More information can be found here: http://support.microsoft.com/kb/308471 Event Comb is included in the Windows Server 2003 resource kit tools. You can download these tools from the following location: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com... What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

Assuming you have auditing (Audit Account Logon Events) configured in Group
Policy, you will need to tweak Event Comb to gather the applicable event
IDs.

First, configure Event Comb to scan the Security log on every DC. You can do
this by 1) typing the FQDN into the domain field in Event Comb, and then 2)
right-click on the "Select to Search/Right click to Add" box and select "Get
DCs in Domain."

->To get all successful account logon attempts:
- Select Security in the "Choose Log Files to Search" section
- Select Success Audit in the "Event Types" section.
- Type 540 in the "Event IDs" field
- Click Search
The problem now is that the above will give you a LOT of audit events. Keep
in mind that computers also authenticate so these will be logged too.
To work around this, you can either search for events for a specific user or
use Excel, or some other means, to filter out the computer names, which have
a $ at the end.

->To get all failed account logon attempts:
- Select Security in the "Choose Log Files to Search" section
- Select Success Audit in the "Event Types" section.
- Type the applicable event IDs into the "Event IDs" field, separated by
spaces (for example 529 531 539)
529 - Failed logon because of invalid username or password.
531 - Failed logon because of disabled account.
539 - Failed logon because account is locked out.
530 - Failed logon because user attempts to logon outside of permitted logon
hours.
532 - Failed logon because account has reached its expiration date.
535 - Failed logon because password has expired.
533 - Failed logon because the user account has been restricted to logging
onto a particular PC and the user attempts to logon from another PC.
- Click Search

->Additional Filtering/Tweaks that apply to both of the above:
-To search for a specific user, type "User Name: Administrator" (less the
quotes) in the "Text" field in Event Comb and then redo your search
(substitute Administrator for the user in question).
-To search for a particular type of logon event ( type "Logon Type: #" (less
the quotes) in the "Text" field in Event Comb and then redo your search
(substitute # with the logon type number below).
For logon type numbers and their meaning, see
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033


To get a particular type of successful account logon attempt:
- Select Security in the "Choose Log Files to Search" section
- Select Success Audit in the "Event Types" section.
- Type 540 in the "Event IDs" field
- Click Search



I listed some details on the applicable event IDs below. All of these are in
the Security Log, so select the checkbox next to Security in Event Comb.
If you want to track successful logons

Event ID: 540
Source: Security

ID Meaning Details to look for in Event Comb
540 A logon session was created for the user.


--

JPolicelli, MVP - Directory Services
This posting is provided "AS IS" with no warranties and confers no rights!
http://johnpolicelli.wordpress.com/
----

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:256CD39B-3178-415C-8BB9-09762BF07153@microsoft.com...

Quote:

I have the resource kit installed on all of our Win2003 SP2 DCs, and have the Event Comb installed on another windows server--I have used it for account lockouts. How can I tweak it to give me a list of the logon/logoff for specific users? thanks. steve "JPolicelli [MVP-DS]" wrote: In my experience, MOM / SCOM is the best way, but it is also costly. If you do not have MOM / SCOM in place, you can use Microsoft's Event Comb tool, which is free. More information can be found here: http://support.microsoft.com/kb/308471 Event Comb is included in the Windows Server 2003 resource kit tools. You can download these tools from the following location: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com... What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

Steve,
depending on the size of your domain (and amount of auditing you enable),
managing and searching through event logs might get fairly cumbersome.
You might want to consider alternatives - one of them is described in
http://support.microsoft.com/kb/556015
The other involves use of LimitLogin. While the primary purpose of this
utility is restricting amount of concurrent logons, it also includes a
feature that allows you to keep track of user logons (even whit logon limit
disabled). For more info, refer to
http://technet.microsoft.com/en-us/magazine/cc160794.aspx

hth
Marcin

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com...

Quote:

What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

"Steve" <Steve@discussions.microsoft.com> wrote in message
news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com...

Quote:

What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

I use logon and logoff scripts that log to a shared text file. An example
logon script is linked here:

http://www.rlmueller.net/Logon5.htm

You can code a similar logoff script using Group Policy. I copy the log file
and read into a spreadsheet program for analysis. You can skip the IP
address function.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Thanks for your help--what is the event ID for the logoff (logging off of the
Windows 2003 domain, Windows XP workstation for example). We do have the
Audit Account Logon Events turned on for the domain already. Steve


"JPolicelli [MVP-DS]" wrote:

Quote:

Assuming you have auditing (Audit Account Logon Events) configured in Group Policy, you will need to tweak Event Comb to gather the applicable event IDs. First, configure Event Comb to scan the Security log on every DC. You can do this by 1) typing the FQDN into the domain field in Event Comb, and then 2) right-click on the "Select to Search/Right click to Add" box and select "Get DCs in Domain." ->To get all successful account logon attempts: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type 540 in the "Event IDs" field - Click Search The problem now is that the above will give you a LOT of audit events. Keep in mind that computers also authenticate so these will be logged too. To work around this, you can either search for events for a specific user or use Excel, or some other means, to filter out the computer names, which have a $ at the end. ->To get all failed account logon attempts: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type the applicable event IDs into the "Event IDs" field, separated by spaces (for example 529 531 539) 529 - Failed logon because of invalid username or password. 531 - Failed logon because of disabled account. 539 - Failed logon because account is locked out. 530 - Failed logon because user attempts to logon outside of permitted logon hours. 532 - Failed logon because account has reached its expiration date. 535 - Failed logon because password has expired. 533 - Failed logon because the user account has been restricted to logging onto a particular PC and the user attempts to logon from another PC. - Click Search ->Additional Filtering/Tweaks that apply to both of the above: -To search for a specific user, type "User Name: Administrator" (less the quotes) in the "Text" field in Event Comb and then redo your search (substitute Administrator for the user in question). -To search for a particular type of logon event ( type "Logon Type: #" (less the quotes) in the "Text" field in Event Comb and then redo your search (substitute # with the logon type number below). For logon type numbers and their meaning, see http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 To get a particular type of successful account logon attempt: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type 540 in the "Event IDs" field - Click Search I listed some details on the applicable event IDs below. All of these are in the Security Log, so select the checkbox next to Security in Event Comb. If you want to track successful logons Event ID: 540 Source: Security ID Meaning Details to look for in Event Comb 540 A logon session was created for the user. -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:256CD39B-3178-415C-8BB9-09762BF07153@microsoft.com... I have the resource kit installed on all of our Win2003 SP2 DCs, and have the Event Comb installed on another windows server--I have used it for account lockouts. How can I tweak it to give me a list of the logon/logoff for specific users? thanks. steve "JPolicelli [MVP-DS]" wrote: In my experience, MOM / SCOM is the best way, but it is also costly. If you do not have MOM / SCOM in place, you can use Microsoft's Event Comb tool, which is free. More information can be found here: http://support.microsoft.com/kb/308471 Event Comb is included in the Windows Server 2003 resource kit tools. You can download these tools from the following location: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com... What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve

Refer to the following for details on security related events:
http://support.microsoft.com/kb/174074

--

JPolicelli, MVP - Directory Services

This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.

http://johnpolicelli.wordpress.com/
----
"Steve" <Steve@discussions.microsoft.com> wrote in message
news:8A3E9877-DF37-4DF0-AC2A-645EA5F00C11@microsoft.com...

Quote:

Thanks for your help--what is the event ID for the logoff (logging off of the Windows 2003 domain, Windows XP workstation for example). We do have the Audit Account Logon Events turned on for the domain already. Steve "JPolicelli [MVP-DS]" wrote: Assuming you have auditing (Audit Account Logon Events) configured in Group Policy, you will need to tweak Event Comb to gather the applicable event IDs. First, configure Event Comb to scan the Security log on every DC. You can do this by 1) typing the FQDN into the domain field in Event Comb, and then 2) right-click on the "Select to Search/Right click to Add" box and select "Get DCs in Domain." ->To get all successful account logon attempts: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type 540 in the "Event IDs" field - Click Search The problem now is that the above will give you a LOT of audit events. Keep in mind that computers also authenticate so these will be logged too. To work around this, you can either search for events for a specific user or use Excel, or some other means, to filter out the computer names, which have a $ at the end. ->To get all failed account logon attempts: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type the applicable event IDs into the "Event IDs" field, separated by spaces (for example 529 531 539) 529 - Failed logon because of invalid username or password. 531 - Failed logon because of disabled account. 539 - Failed logon because account is locked out. 530 - Failed logon because user attempts to logon outside of permitted logon hours. 532 - Failed logon because account has reached its expiration date. 535 - Failed logon because password has expired. 533 - Failed logon because the user account has been restricted to logging onto a particular PC and the user attempts to logon from another PC. - Click Search ->Additional Filtering/Tweaks that apply to both of the above: -To search for a specific user, type "User Name: Administrator" (less the quotes) in the "Text" field in Event Comb and then redo your search (substitute Administrator for the user in question). -To search for a particular type of logon event ( type "Logon Type: #" (less the quotes) in the "Text" field in Event Comb and then redo your search (substitute # with the logon type number below). For logon type numbers and their meaning, see http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 To get a particular type of successful account logon attempt: - Select Security in the "Choose Log Files to Search" section - Select Success Audit in the "Event Types" section. - Type 540 in the "Event IDs" field - Click Search I listed some details on the applicable event IDs below. All of these are in the Security Log, so select the checkbox next to Security in Event Comb. If you want to track successful logons Event ID: 540 Source: Security ID Meaning Details to look for in Event Comb 540 A logon session was created for the user. -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:256CD39B-3178-415C-8BB9-09762BF07153@microsoft.com... I have the resource kit installed on all of our Win2003 SP2 DCs, and have the Event Comb installed on another windows server--I have used it for account lockouts. How can I tweak it to give me a list of the logon/logoff for specific users? thanks. steve "JPolicelli [MVP-DS]" wrote: In my experience, MOM / SCOM is the best way, but it is also costly. If you do not have MOM / SCOM in place, you can use Microsoft's Event Comb tool, which is free. More information can be found here: http://support.microsoft.com/kb/308471 Event Comb is included in the Windows Server 2003 resource kit tools. You can download these tools from the following location: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en -- JPolicelli, MVP - Directory Services This posting is provided "AS IS" with no warranties and confers no rights! http://johnpolicelli.wordpress.com/ ---- "Steve" <Steve@discussions.microsoft.com> wrote in message news:A661EFC7-077A-4F2E-98A8-A728B2E62DB9@microsoft.com... What is the best auditing to use to audit user logon/logoff the domain. I assume that this goes to the DC security log..but what is the best way to compile this data with multiple DCs? Thanks. Steve