Forum Discussion
Windows Active Directory auditing
Option 1 – Use a PowerShell script (no extra tools)
Run this script on a domain admin workstation or any system with the ActiveDirectory module:
# Get logon events from all domain computers
$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
$results = foreach ($pc in $computers) {
try {
Get-WinEvent -ComputerName $pc -LogName Security `
-FilterHashtable @{Id=4624; StartTime=(Get-Date).AddDays(-7)} -ErrorAction Stop |
Where-Object { $_.Properties[8].Value -like "*DOMAIN*" } |
Select-Object @{n='Computer';e={$pc}},
@{n='User';e={$_.Properties[5].Value}},
@{n='LogonType';e={$_.Properties[8].Value}},
TimeCreated
}
catch {
Write-Warning "Could not query $pc"
}
}
$results | Export-Csv "C:\Reports\UserLogons.csv" -NoTypeInformation
📄 This collects the past week’s logons (Event 4624) from every reachable computer and saves the results to a CSV file (UserLogons.csv).
Option 2 – Use built-in Windows auditing
In Group Policy Management, edit a GPO applied to all computers:
Computer Configuration → Windows Settings → Security Settings →
Advanced Audit Policy Configuration → Logon/Logoff → Audit Logon Events
Enable Success and Failure.
Wait for policy replication.
Events will now appear under Event Viewer → Security log → ID 4624/4634 on each system.
Option 3 – Use Windows Event Forwarding (WEC)
If you want a centralized log view:
Configure a Windows Event Collector server.
Forward 4624/4634 events from all computers to it.
Then query them with PowerShell or Event Viewer.
Event IDs to know
Event ID Meaning
4624 Successful logon
4625 Failed logon
4634 Logoff
4647 User-initiated logoff
4672 Admin privileges assigned
Summary
You can track user logins in Active Directory using built-in event logs.
For automation, use a PowerShell script (like above) or Windows Event Forwarding for central reporting.
No third-party tools are required — everything is included in Windows Server