How to Monitor User Activity in Windows Computers

Monitor User Activity in Windows Computers using Lepide Auditor
3 min read | Updated On - June 23, 2023
In This Article

Having an understanding of what your users are doing in your critical systems is a crucial part of identifying potential suspicious behavior leading to security breaches. Tracking user activity provides the necessary information to spot malicious activity and stop an organization from falling prey to a potential cyberattack.

Native Active Directory auditing tools can be used to monitor user activity, but it is a time-consuming and often complex task. Lepide Auditor overcomes the limitations of native auditing by giving you the visibility you need to detect and react to insider threats quickly and efficiently.

In this article, we will look at two methods for tracking user activity: the native auditing method (Event Log) and an automated solution using Lepide Auditor.

Track User Activity in Windows Computers using Event Logs

Please follow below steps:

  1. Enable Audit Policy
    • Select Server Manager on Windows server.
    • Under the Manage tab, open the Group Policy Management console.
    • Go to Forest, Domain, Your Domain, Domain Controllers.
    • You can either edit an existing group policy object or create a new one.
    • In the Group Policy Editor, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy.
      Enable Audit Policy
    • In Audit Policy, select Audit logon events and enable Success and Failure auditing.
  2. Enable logon-logoff
    • Go back to Computer Configuration. Navigate to Windows Settings, Security Settings, Advanced Audit Policy Configuration, Audit Policy, Logon/Logoff
      Enable Logon Logoff Auditing
    • Next, enable Success and Failure auditing for Audit Logon, Audit Logoff, and Audit Special Logon.
    • Open the Group Policy Management console and select the GPO that you have edited or created.
      Under Security Filtering, add the users whose logons need to be tracked. You can also choose to audit every domain user’s logon by selecting All users. To audit, a group of domain users, the specific group(s) can be added.
  3. Use Active Directory Event Viewer to check the logs
    • Open Event Viewer and navigate to Windows logs, Security.
    • Look for the event IDs:
      Event ID Description
      4624 Account was logged on,
      4634 Account was logged off
      4647 User initiated logoff
      4672 Special logon
      4800 Workstation was locked
      4801 Workstation was unlocked

      Native Event Logs

    • Click Filter Current Log on the right side to filter the logs based on event IDs or the time range for which the information is required.
      Filter Event Logs
    • System admins have to go through the list of logon times and identify suspicious patterns if any. This is a tedious and error-prone process as there is a high chance that some logs may be overlooked.

Monitor User Activity in Windows Computers Using the Lepide Auditor

Lepide Auditor for Active Directory overcomes the complexity of the native method by providing a straightforward way to identify suspicious insider activity using Active Directory by using Logon/Logoff Reporting and the Permissions Modification Report.

Lepide Auditor for Active Directory includes several Logon/Logoff reports to track logon activity. Two of these reports are Failed User Logon and Successful User Logon/Logoff Reports.

Event Logs for Failed Logons

How to run the Failed Logon Report:

  • Click the User & Entity Behavior Analytics icon and select Active Directory Reports, Logon/Logoff Reports, Failed Logon
  • Select a Date Range and click Generate Report
  • The report is generated and can be sorted, filtered, grouped, saved, and exported.

Successful Logon Logoff

How to run the Successful User Logon/Logoff Report:

  • Click the User & Entity Behavior Analytics icon and select Active Directory Reports, Logon/Logoff Reports, Successful User Logon/Logoff
  • Select a Date Range and click Generate Report
  • The report is generated and can be sorted, filtered, grouped, saved, and exported.

Monitor User Activity in Windows Computers using Lepide Auditor