Windows Logon/Logoff audit log

davidep · June 14, 2018, 10:57am

I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.

But the goal here is to have a simple, readable log file with just the logon/logoff events traced.

The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.

I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.

The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging

davidep · November 13, 2018, 5:40pm

Bumped this topic because I’ve just fixed the README instructions

https://github.com/DavidePrincipi/gpoaudit/commits/master/README.md

robb · December 11, 2018, 9:30pm

But what if there are no windows based clients? Could there be a solution for linux based clients? (you could argue that you wouldn’t need samba4AD account provider without MS Windows clients, but I think linux clients also can benefit from sa,ba4AD…)

davidep · December 11, 2018, 9:32pm

What are the GPOs supported by Linux clients that you are thinking about? What is the use case?

robb · December 11, 2018, 9:35pm

Maybe not GPO’s as in place for managing windows user and device accounts. But I can imagine you also would like to be able to manage linux based device accounts. I mean, I can join a Samba4 AD account with a linux client. It would be nice to be able to set rules for that device account…

davidep · December 11, 2018, 9:36pm

Please make an example!

robb · December 11, 2018, 9:54pm

With GPO you could redirect homedirectories to a network share. What I understood is, when you log into a domain account on a linx device, a local homedirectory is created. the same behavior when logging in on a linux device as when logging in on a windows device would be nice, wouldn’t it…

I don’t know if this is the right example… but I just want to be able to have an as transparent as possible use of device on a network, regardless if it is a linux device or a windows device.

mrmarkuz · December 11, 2018, 11:20pm

It should be possible to have server side home dirs: