I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers.
Auditing logon events can get somewhat tricky, but it can succesfully be done.
My problem: how can I track logoff events?
Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone.
This is a very specific question: is something logged on DCs when a user logs off from a domain workstation?
To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question.
If this can't be done, it's ok; but I need a clear answer on that.
- Can this be done?
- If yes, how?
You are correct, they aren't logged on your DC's. However, I believe (but am not positive) that if your auditing is high enough on the DC's, an event is logged when someone disconnects a network drive. So if you are mapping drives for your users, you could potentially track their log offs but looking for that 'dismount' event. Even then, I'm not sure I would want to rely on that. You said you can't deploy scripts, but I'm just mentioning that in case you already are in your environment.
Looks like this just can't be done.
Nothing gets logged on DCs when a user logs off, apart from closed network sessions (but they can be closed anytime, not only upon logoffs).