Windows Logon/Logoff audit log

gpo
activedirectory

(Davide Principi) #1

I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.

But the goal here is to have a simple, readable log file with just the logon/logoff events traced.

The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.

I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.

The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging