Domain User Logon and Logoff Events

I had the need a few weeks ago to determine the logon and logoff times of users of our system. Fortunately we have the Windows server event logs captured. They are sent to a syslog server using NTsyslog and we created a basic search capability enabling us to search for all events for a given user between a a date range.

The Windows Security Logging and Other Esoterica blog was very helpful. Specifically the articles Deciphering Account Logon Events, and The Trouble With Logoff Events were very helpful. Randy Franklin Smith’s Windows Security Log Encyclopedia was, as always, an invaluable tool.

I used events 672/673 to identify logon times. In this particular case the user apparently never logged off so determining the actual logoff time was difficult and was an educated guess. We have implemented password protected screen saver via Group Policy. It turns out a 672 event is raised each time a user authenticates to unlock the computer.


Steve Mullen has been involved in information technology for over 35 years. He is also actively involved in the music program (voice and English hand bells) and Vestry of St. Anne’s Episcopal Church in Damascus, MD.

Posted in Active Directory, Information Security, IT Security, Log Management, logging, Microsoft, Security, syslog, Windows

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

August 2007
« Jun   Nov »
%d bloggers like this: