ManageEngine ADAudit Plus is a UBA-driven auditor that bolsters your Active Active (AD) security infrastructure. With over 250 built-in reports, it provides you with granular insights into what’s happening within your AD environment, such as all the changes made to objects and their attributes. This can include changes to users, computers, groups, network shares, and more. ADAudit Plus also helps monitor privileged user activities in the domain, analyze authentications on domain controllers, track logons and logoffs on workstations, and provide visibility into AD account lockouts.

In this blog series on User Logon Reports, we’ll examine and understand the various reports that ADAudit Plus has in store for us. The User Logon Reports category incorporates 16 preconfigured reports that provide comprehensive audit information related to user logon activity, user logon failures, and many other domain-oriented user activities.

This fifth blog of the series discusses one of the most important user logon actions that enterprises must audit to ensure their Active Directory architecture is tightly secured: the last logon times of users on workstations.

Need a refresher on the Domain Controller Logon Activity report? Find it here in the previous blog in this series.

Auditing users’ last logon actions on workstations

Tracking and understanding an event like the last logon performed by a user on their workstation is critical for any system administrator. It can help in maintaining robust Active Directory health in the following five ways:

  1. Admins can see the time of each user’s last logon on all workstations.
  2. Admins can use last logon information to examine any logon that could have occurred recently on a workstation and check if it is unauthorized or questionable.
  3. Every attack kill chain contains a logon either as part of the initial compromise or lateral movement. Since this report shows the last logon of each user on a workstation, it can help admins investigate attacks that may be ongoing.
  4. In the unfortunate event of a cyberattack, this crucial data will also facilitate the admins and analysts to conduct and accelerate forensic analysis.
  5. Admins will be able to contain the damage following a cyberattack, reducing the loss to business.

These can all easily be done by administrators using ADAudit Plus’ ‌Last Logon on Workstations report.

The Last Logon on Workstations report in action

James is an IT admin from ABC Corp. His organization has fallen victim to a cybercrime and James now wants to track down the last logon time of every user on their workstations.

Problem: How does James find a user’s last logon time on a workstation  ?

Solution: The Last Logon on Workstations report in ADAudit Plus helps James generate a report thats shows the last logon time of all the users who logged on to a workstation in a specified time period. This information is picked up from the authentication event that happens on the domain controller.

Figure 1. This screenshot shows the Last Logon on Workstations report in ADAudit Plus

The Last Logon on Workstations report helps system administrators like James by providing them with details like:

  1. Username: The name of the user who performed the last logon action on a workstation.

  1. Client IP address: The IP address associated with the client or workstation. In case the organization uses Dynamic Host Configuration Protocol (DHCP), the current IP address will be displayed.

  1. Client host name: The host name of the client or workstation. This is obtained after resolving the IP address.

  1. Logon Time: The date and time of the last logon attempt.

As seen in Figure 1, the generated report provides all the necessary information regarding the last logon activity of users on their workstations.

The report is extremely useful for conducting comprehensive security hygiene checks and speeding up the forensic analysis process following a cyberattack.

From the generated Last Logon on Workstations report, James can:

  1. Select Export As to generate the report in any of the preferred formats (CSV, PDF, HTML, or XLS).

  1. Schedule the report to run at a set interval for automatic, periodic reporting, and have these reports sent to his email address.

  1. Use the Add/Remove Column feature available in the report to select additional attributes.

  2. Generate reports by selecting multiple domains.

Knowing who logged on, when, and to which workstation is all critical information for IT admins that want a clear picture of what’s happening in their AD, which can be easily viewed using the extensive reporting module of ADAudit Plus.

Sign up for a personalized demo with our product experts to explore how ManageEngine ADAudit Plus can help you with monitoring and securing your AD environment.