Auditing Active Directory logons and logoffs is made extremely simple with Blackbird Group’s Identity Auditor

A manager walks into your office and would like to know where a user has last logged on as well as how many days ago that happened. You open up Event Viewer and connect to a domain controller in that site. Filtering the event log for successful logon attempts made by that user, you find a few. You check the second DC and find a few more. As you are looking through these two logs, the manager is quietly wondering why such a simple request takes so long. This process could be a lot quicker if all of the logon requests where in one location.

Blackbird Privilege Identity Auditor - Report

Blackbird Privilege Identity Auditor - Report

To make this easier, Blackbird Group has released Privilege Identity Auditor as a free solution that centrally collects and sorts authentication request from your Domain Controllers or other sensitive computers.

Blackbird Privilege Identity Auditor provides a complete collection of built-in reports. These reports can help any IT administrator gain interesting insight to their AD environment as well as provide quick answers to common questions. The built-in reports include:

  • Recent Logons (for domain controllers, member servers, or desktops)
  • Interactive Logons
  • Inactive users
  • Failed logons
  • Failed Interactive logons

Each report shows the account in question, the type of logon, the originating workstation, and the authenticating server.

Audit logon and logoff-Blackbird Privilege Identity Auditor - The common report interface makes filtering data extremely easy.

 

The common report interface makes filtering data extremely easy.

 

Setting up the Identity Auditor is very straightforward. In fact, the longest part may be the download itself – which can be found here. While I prefer installing it on a dedicated member server, it can be installed on a desktop or domain controller. To make the install smoother, make sure your machine meets the necessary prerequisites. You will need .NET Framework 3.5, Microsoft Report Viewer, and SQL Server 2008 Express or higher. If you don’t have report viewer preinstalled, the Identity Auditor setup will install it for you. If you don’t currently have an
available SQL database, one can be installed and configured within Identity Auditor.

Audit logon and logoff-Blackbird Privilege Identity Auditor - SQL Server

If needed, the Identity Auditor setup guide provides an extensive walkthrough for the SQL setup.

After the SQL database is configured, you will need to configure a service account that has the correct permissions to view the event log of any machines that you wish to audit. For Windows server 2008 machines, you can add the service user to the Event Log Readers local group. For Windows 2003 machines, Microsoft provides a decent workaround available here. Finally, add in the machines that you wish to monitor. To make this easier, you can filter your search to only
include domain controllers.

Audit logon and logoff-Blackbird Privilege Identity Auditor - Search

More complicated searches, such as specific attribute filtering, can be performed under the advanced tab.

The last step is to ensure that servers record Success and Failure Logon events. This setting can be found under Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy within a Group Policy Object.

Blackbird Privilege Identity Auditor is now configured and collecting! If your organization currently doesn’t audit logon events, do so. Logon events cannot be viewed if auditing is not enabled and you certainly don’t want to enable auditing after you need it. If you currently do not have a central way to analyze and report on these events, try out Identity Auditor and let us know what you think in the comment section below!

Blackbird Privilege Identity Auditor ^

3 Comments
  1. Marko S 9 years ago

    Thank you very much for this tip. We are planning to setup a syslog server that collects different type of logs from different machines/appliances. This application seems like something that we could use.

  2. Joseph Moody 9 years ago

    Not a problem! I thought it was a pretty nifty solution myself.

  3. Alex 6 years ago

    No free tool left

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account