I'm not very familiar with Active Directory and I've been trying to figure out if there's log files to check that would list user logins with times to check up on unauthorized access. I'm running Active Directory in windows 2008.
I'm not very familiar with Active Directory and I've been trying to figure out if there's log files to check that would list user logins with times to check up on unauthorized access. I'm running Active Directory in windows 2008.
You can enable auditing through the group policy, there are options to audit successful and unsuccessful logins. Keep in mind, if you have more than one DC, logons can be handled by any of them, so a user may log into DC 1 today, and DC 2 tomorrow. Also, services, applications, and other things produce login audits, so it does tend to get a bit cluttered.
You would find the audits in the Security log under the event viewer (Windows logs node in 2008).
Provided you have the logging of logon events to the security event log enabled, you can parse through the event log looking for logon attempts. A tool useful for this is Sysinternals PSLoglist.exe., and you should query domain controllers and file servers for activity.
There are several different 5xx and 6xx event id's for you to look for. You'll set the command line up like:
You can also use a filtered dsquery.exe query to look for user attributes like lastlogon time.
The post above is correct. DC's in a site will have eventlog entries that represent the logons it has serviced. This can be misleading due to the reasons that post mentioned...along with some others like Kerberos ticket renewal. To really get a good picture you also need the security logs from your workstations. This can be kind of a pain. If they are XP, then I would batch it and load it to your central log host during slow hours. If they are Vista or higher you can configure event forwarding. This has some prerequisites, but its probably the best option.