Windows Logon/Logoff audit log

gpo
activedirectory

(Davide Principi) #1

I was recently asked to record when a user logon/logoff on a Windows workstation. Both MS and Samba¹ Active Directory implementations produce a lot of events related to user authentication and authorization. Samba seems to be missing a “logoff” trace.

But the goal here is to have a simple, readable log file with just the logon/logoff events traced.

The proposed solution is based on a PowerShell script that acts as syslog client. It runs on a Windows workstation and sends the logon/logoff events to its DC, where we run a rsyslogd service.

I configured a GPO to deploy the PowerShell script, but should work also on non-members workstations by tweaking the Windows Registry or similar.

The full description and implementation is available here: https://github.com/DavidePrincipi/gpoaudit

[1] https://wiki.samba.org/index.php/Setting_up_Audit_Logging


Creating and managing GPO's
(Davide Principi) #2

Bumped this topic because I’ve just fixed the README instructions

https://github.com/DavidePrincipi/gpoaudit/commits/master/README.md


(Rob Bosch) #3

But what if there are no windows based clients? Could there be a solution for linux based clients? (you could argue that you wouldn’t need samba4AD account provider without MS Windows clients, but I think linux clients also can benefit from sa,ba4AD…)


(Davide Principi) #4

What are the GPOs supported by Linux clients that you are thinking about? What is the use case?


(Rob Bosch) #5

Maybe not GPO’s as in place for managing windows user and device accounts. But I can imagine you also would like to be able to manage linux based device accounts. I mean, I can join a Samba4 AD account with a linux client. It would be nice to be able to set rules for that device account…


(Davide Principi) #6

Please make an example!


(Rob Bosch) #7

With GPO you could redirect homedirectories to a network share. What I understood is, when you log into a domain account on a linx device, a local homedirectory is created. the same behavior when logging in on a linux device as when logging in on a windows device would be nice, wouldn’t it…

I don’t know if this is the right example… but I just want to be able to have an as transparent as possible use of device on a network, regardless if it is a linux device or a windows device.


(Markus Neuberger) #8

It should be possible to have server side home dirs: