1

Task

I have a domain controller running on Windows Server 2016. The Event Viewer shows events with ID's 4624 and 4634 every time a user logs on or off with a domain user account. (...maybe, the events may not really match a user logging off) .

Using Powershell I can get the relevant details out of a single event to create a report. I would like to output a single event for when they log on to a machine and another single event when they log off. E.g.

2023-09-14 09:37:56.889 - user1 logged off.

2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1

Problem

When I parse all events on the domain controller I get multiple repeated entries for the same logon attempt with lots of logons and logoffs all within a few milliseconds of each other. E.g.

2023-09-14 07:44:58.889 - user1 logged off.

2023-09-14 07:44:58.889 - user1 logged off.

2023-09-14 07:44:58.889 - user1 logged off.

2023-09-14 07:44:58.889 - user1 logged off.

2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1

2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1

2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1

2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1

Attempted solution

I've tried looking at the following fields and cannot see how to spot which event was the actual initial user logon events and which are the duplicates. They seem to be the same in all the simultaneous logon events.

  • SubjectUserSid
  • SubjectUserName
  • TargetUserName
  • LogonType
  • IpAddress

There are even fewer details to look at for logoff events.

How do I go through all these 4624 and 4634 events and figure out the time when the user actually logged in and logged out?

I have thought about grouping all logon/logoff events within the same second or two as a single logon event but this seems crude. Is there anything in the Events the Domain Controller logs which allows me to get a single logon time and a single logoff time?

Improve this question

1 Answer 1

Reset to default
1

As far as I know, there is no "logoff time" event that would correspond to what you want.

AD does not maintain any persistent state on domain controllers for the entire duration of a workstation logon; all the logouts that the DC sees are for transient connections to that DC, such as LDAP queries or Sysvol SMB access.

There is a distinct "logon time" when the user obtains a Kerberos TGT from the DC, which has its own event ID (4768) – although it is not necessarily limited to full logon; it could also be a workstation unlock or another similar event.

However, there is no corresponding "revoke ticket" or similar event. The DC doesn't actively track issued tickets or their validity (a ticket issued for 10 hours stays valid for 10 hours); a logoff just discards tickets client-side.

Improve this answer
2
  • Thanks! Would there be logoff events on the local machines? We already need the remote registry service enabled so could look at requesting the events from every local machine from a single Powershell script on the Domain Controller.
    – Flash_Steel
    Commented Sep 14, 2023 at 14:35
  • On the local machines? Yes, though I don't know the event IDs offhand. The "Security" log generally has logon/logoff events even for local accounts on non-domain workstations (not to be confused with "account logon" events), it should be the same in your case.
    – grawity_u1686
    Commented Sep 14, 2023 at 14:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .