To track user logins across a Windows Active Directory Domain, you can use the built-in Event Viewer tool. This tool allows you to view and filter event logs on a domain controller.
To access the Event Viewer:
- Open the Start menu and type “Event Viewer” in the search bar
- Click on “Event Viewer” to open the tool
- In the left pane, navigate to “Windows Logs” > “Security”
- Look for events with an event ID of 4624, which indicates a successful user login, or 4625, which indicates a failed login attempt.
- You can also use the built-in tool “Group Policy Management” to enable auditing of logon events on your domain controllers.
To enable auditing:
- Open the “Group Policy Management” tool on a domain controller
- Create a new GPO or edit an existing GPO
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- Enable the “Audit account logon events” policy
- Link the GPO to the domain or an organizational unit that contains the computers you want to audit
Note: This will only track logins on domain-joined computers, not on non-domain joined devices.
If there are multiple domain controllers in your Active Directory environment, it is important to ensure that the event logs on all of them are being collected and consolidated in a central location. This can be done using a tool called “Event Forwarding.”
Event Forwarding
Event Forwarding allows you to configure a domain controller to forward event logs to a central server for collection and analysis. Here are the basic steps to set up Event Forwarding:
- On the central server, open the “Event Viewer” and navigate to “Subscriptions” in the left pane.
- Right-click on “Subscriptions” and select “Create Subscription”
- In the wizard, select “Source Computer: Any computer” and “Event Log: Security”
- configure the transport and the authentication settings
- On the domain controllers, you will need to configure them to forward their security event logs to the central server. This can be done using GPO by enabling the “Configure target Subscription Manager” in the “Event Log” settings.
This will ensure that all security event logs from all domain controllers are collected and stored on the central server, allowing you to track user logins across the entire domain from one location.
Additionally, you can use third-party tools such as Microsoft’s Sysmon, Windows Event Forwarding, and SIEM solutions like Splunk, to help you in the process of collecting, analyzing, and visualizing the logs across multiple domain controllers.