Here i’ll discuss various methodologies available or i’ve used for user login tracking.

The Lazy man’s way…

I love Kevin Weilbacher’s simple script which is available in his blog. It can say logon/logoff, machine name and date/time stamp. He has titled the blog as Lazy man’s way to track user logon/logoff, you can follow the link for more improvization on the script.

Quote:
——logon.cmd—-echo logon %username% %computername% %date% %time% >> \\sbs\share\logon.log—–logoff.cmd—–

echo logoff %username% %computername% %date% %time% >> \\sbs\share\logon.log

Event IDs Log the details..

Enabling the Audit Logon Events on the domain contollers can do this. (group policy on the domain controller’s OU – Computer Configuration – Windows Settings – Security Settings – Local Policies – Audit Policy – ‘Audit Account Logon Events’.)

By having this setting on domain controllers, user logon attempts will be recorded in the domain controller security event log. The event log entry will indicate whether the user was successful or not at logging in.

Quote:
The successful event IDs are672 – granting of an authentication ticket .673 – Indicates the granting of a service ticket.

680 – NTLM protocol used to successfully log on a user.

The Falure event IDs are:

675 – Failure code 24 — bad password.

676 – Failure code 6 – invalid user name;

failure code 12 – workstation restrictions in place;

failure code 18 – account is locked out;

failure code 23 – expired password.

681 – NTLM protocol logon failure.

LimitLogin utility from Microsoft

There is a utility called Limitlogin from Microsoft.

While the main purpose of LimitLogin is to enforce concurrent login quotas, it can also be used purely as a login data capture solution that lets you manage your Active Directory environment more effectively. To me its a tedious process to setup the environment, but its a useful tool.

Quote:
LimitLogin’s architecture is built around three main elements: * A Web service that handles the back-end processing on the server* An application directory partition that holds the login information

* Login and logoff VBS scripts

User Logon Reports from Desktop Central

Desktop Central has a reports category called User logon Reports. It gives all the necessary information that an administrator wants to know.

Quote:
– Currently Logged on Users- Users Frequently Logged On to the Domain

– Users Rarely Logged On the Domain

– Inactive Users

– Computers with Frequent User Logon

– Computers with Rare User Logon

– Computers with No User Logon

– User Logon History

– User Logon History by Computers

– User Logon History on Domain Controller

– Logon Servers with their Reported Users

The above mentioned other tools gave primitive information about user login. But Desktop Central gives exclusive and extensive reports for Active Directory and User login tracking. Please go through the reports and send in your valuable feedbacks.

If you need any additional reports in this specific area please feel free to contact me or send your requirements to support@desktopcentral.com