Windows Logon/Logoff audit log

davidep · 2018-06-14 10:57:34 UTC

I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.

But the goal here is to have a simple, readable log file with just the logon/logoff events traced.

The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.

I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.

The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging

davidep · 2018-11-13 17:40:27 UTC

Bumped this topic because I’ve just fixed the README instructions

https://github.com/DavidePrincipi/gpoaudit/commits/master/README.md

robb · 2018-12-11 21:30:11 UTC

But what if there are no windows based clients? Could there be a solution for linux based clients? (you could argue that you wouldn’t need samba4AD account provider without MS Windows clients, but I think linux clients also can benefit from sa,ba4AD…)

davidep · 2018-12-11 21:32:30 UTC

What are the GPOs supported by Linux clients that you are thinking about? What is the use case?

robb · 2018-12-11 21:35:21 UTC

Maybe not GPO’s as in place for managing windows user and device accounts. But I can imagine you also would like to be able to manage linux based device accounts. I mean, I can join a Samba4 AD account with a linux client. It would be nice to be able to set rules for that device account…

davidep · 2018-12-11 21:36:23 UTC

Please make an example!

robb · 2018-12-11 21:54:09 UTC

With GPO you could redirect homedirectories to a network share. What I understood is, when you log into a domain account on a linx device, a local homedirectory is created. the same behavior when logging in on a linux device as when logging in on a windows device would be nice, wouldn’t it…

I don’t know if this is the right example… but I just want to be able to have an as transparent as possible use of device on a network, regardless if it is a linux device or a windows device.

mrmarkuz · 2018-12-11 23:20:11 UTC

It should be possible to have server side home dirs: