Before getting into the specifics, I would like to give a small introduction on tracking Logon / Logoff in Active Directory environment, which is a cumbersome process.
Auditing the Windows Active Directory environment
With the current Windows architecture it’s difficult to get all logon data at a single point. In an AD environment, a Domain Controller (DC) is the one which does the real authentication. When there are multiple DCs in a setup, handling the authentication mechanism, the logon data (please note only the logon data) is available in different computers (read as DCs). So to compute a clear logon activity collecting all these data is essential. Also another pain point here is …