Auditing Active Directory logons and logoffs is made extremely simple with Blackbird Group’s Identity Auditor
A manager walks into your office and would like to know where a user has last logged on as well as how many days ago that happened. You open up Event Viewer and connect to a domain controller in that site. Filtering the event log for successful logon attempts made by that user, you find a few. You check the second DC and find a few more. As you are looking through these two logs, the manager is quietly wondering why such a simple request takes so long. This process could be a lot quicker if all of the logon requests where in one location.
Blackbird Privilege Identity Auditor – Report
To make this easier, Blackbird Group has released Privilege Identity Auditor as a free solution that centrally collects and sorts authentication request from your Domain Controllers or other sensitive computers.
Blackbird Privilege Identity Auditor provides a complete collection of built-in reports. These reports can help any IT administrator gain interesting insight to their AD environment as well as provide quick answers to common questions. The built-in reports include:
- Recent Logons (for domain controllers, member servers, or desktops)
- Interactive Logons
- Inactive users
- Failed logons
- Failed Interactive logons
Each report shows the account in question, the type of logon, the originating workstation, and the authenticating server.
The common report interface makes filtering data extremely easy.
Setting up the Identity Auditor is very straightforward. In fact, the longest part may be the download itself – which can be found here. While I prefer installing it on a dedicated member server, it can be installed on a desktop or domain controller. To make the install smoother, make sure your machine meets the necessary prerequisites. You will need .NET Framework 3.5, Microsoft Report Viewer, and SQL Server 2008 Express or higher. If you don’t have report viewer preinstalled, the Identity Auditor setup will install it for you. If you don’t currently have an
available SQL database, one can be installed and configured within Identity Auditor.
If needed, the Identity Auditor setup guide provides an extensive walkthrough for the SQL setup.
After the SQL database is configured, you will need to configure a service account that has the correct permissions to view the event log of any machines that you wish to audit. For Windows server 2008 machines, you can add the service user to the Event Log Readers local group. For Windows 2003 machines, Microsoft provides a decent workaround available here. Finally, add in the machines that you wish to monitor. To make this easier, you can filter your search to only
include domain controllers.
More complicated searches, such as specific attribute filtering, can be performed under the advanced tab.
The last step is to ensure that servers record Success and Failure Logon events. This setting can be found under Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy within a Group Policy Object.
Blackbird Privilege Identity Auditor is now configured and collecting! If your organization currently doesn’t audit logon events, do so. Logon events cannot be viewed if auditing is not enabled and you certainly don’t want to enable auditing after you need it. If you currently do not have a central way to analyze and report on these events, try out Identity Auditor and let us know what you think in the comment section below!