Forum Discussion

Windowsgeek's avatar
Windowsgeek
Copper Contributor
Apr 30, 2025

Windows Active Directory auditing

Hello,

In a Windows Daemon network, I want to know how many times users have logged in and to which systems. Is there a script or tool for this?

Thank you.

Active Directory

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Oct 08, 2025

    Option 1 – Use a PowerShell script (no extra tools)

    Run this script on a domain admin workstation or any system with the ActiveDirectory module:

    # Get logon events from all domain computers
    $computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name

    $results = foreach ($pc in $computers) {
        try {
            Get-WinEvent -ComputerName $pc -LogName Security `
            -FilterHashtable @{Id=4624; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop |
            Where-Object { $_.Properties[8].Value -like "*DOMAIN*" } |
            Select-Object @{n='Computer';e={$pc}},
                          @{n='User';e={$_.Properties[5].Value}},
                          @{n='LogonType';e={$_.Properties[8].Value}},
                          TimeCreated
        }
        catch {
            Write-Warning "Could not query $pc"
        }
    }

    $results | Export-Csv "C:\Reports\UserLogons.csv" -NoTypeInformation


    πŸ“„ This collects the past week’s logons (Event 4624) from every reachable computer and saves the results to a CSV file (UserLogons.csv).

     Option 2 – Use built-in Windows auditing

    In Group Policy Management, edit a GPO applied to all computers:

    Computer Configuration β†’ Windows Settings β†’ Security Settings β†’
    Advanced Audit Policy Configuration β†’ Logon/Logoff β†’ Audit Logon Events


    Enable Success and Failure.

    Wait for policy replication.

    Events will now appear under Event Viewer β†’ Security log β†’ ID 4624/4634 on each system.

     Option 3 – Use Windows Event Forwarding (WEC)

    If you want a centralized log view:

    Configure a Windows Event Collector server.

    Forward 4624/4634 events from all computers to it.

    Then query them with PowerShell or Event Viewer.

    Event IDs to know
    Event ID    Meaning
    4624    Successful logon
    4625    Failed logon
    4634    Logoff
    4647    User-initiated logoff
    4672    Admin privileges assigned
    Summary

    You can track user logins in Active Directory using built-in event logs.
    For automation, use a PowerShell script (like above) or Windows Event Forwarding for central reporting.
    No third-party tools are required β€” everything is included in Windows Server

Resources