Windows Logon/Logoff audit log

I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.

But the goal here is to have a simple, readable log file with just the logon/logoff events traced.

The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.

I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.

The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging

4 Likes

Bumped this topic because I’ve just fixed the README instructions

https://github.com/DavidePrincipi/gpoaudit/commits/master/README.md

But what if there are no windows based clients? Could there be a solution for linux based clients? (you could argue that you wouldn’t need samba4AD account provider without MS Windows clients, but I think linux clients also can benefit from sa,ba4AD…)

What are the GPOs supported by Linux clients that you are thinking about? What is the use case?

Maybe not GPO’s as in place for managing windows user and device accounts. But I can imagine you also would like to be able to manage linux based device accounts. I mean, I can join a Samba4 AD account with a linux client. It would be nice to be able to set rules for that device account…

Please make an example!

With GPO you could redirect homedirectories to a network share. What I understood is, when you log into a domain account on a linx device, a local homedirectory is created. the same behavior when logging in on a linux device as when logging in on a windows device would be nice, wouldn’t it…

I don’t know if this is the right example… but I just want to be able to have an as transparent as possible use of device on a network, regardless if it is a linux device or a windows device.

1 Like

It should be possible to have server side home dirs:

1 Like