Task
I have a domain controller running on Windows Server 2016. The Event Viewer shows events with ID's 4624 and 4634 every time a user logs on or off with a domain user account. (...maybe, the events may not really match a user logging off) .
Using Powershell I can get the relevant details out of a single event to create a report. I would like to output a single event for when they log on to a machine and another single event when they log off. E.g.
2023-09-14 09:37:56.889 - user1 logged off.
2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1
Problem
When I parse all events on the domain controller I get multiple repeated entries for the same logon attempt with lots of logons and logoffs all within a few milliseconds of each other. E.g.
2023-09-14 07:44:58.889 - user1 logged off.
2023-09-14 07:44:58.889 - user1 logged off.
2023-09-14 07:44:58.889 - user1 logged off.
2023-09-14 07:44:58.889 - user1 logged off.
2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1
2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1
2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1
2023-09-14 07:44:58.888 - user1 logged on to 10.0.0.1
Attempted solution
I've tried looking at the following fields and cannot see how to spot which event was the actual initial user logon events and which are the duplicates. They seem to be the same in all the simultaneous logon events.
- SubjectUserSid
- SubjectUserName
- TargetUserName
- LogonType
- IpAddress
There are even fewer details to look at for logoff events.
How do I go through all these 4624 and 4634 events and figure out the time when the user actually logged in and logged out?
I have thought about grouping all logon/logoff events within the same second or two as a single logon event but this seems crude. Is there anything in the Events the Domain Controller logs which allows me to get a single logon time and a single logoff time?