In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ManageEngine ADAudit Plus to view detailed user logon and logoff times across domain-joined systems. It helps administrators track logon activity, monitor user session behavior, investigate security incidents, and generate reports for auditing and compliance purposes.

Prerequisites  

• All the workstations or servers where user logon and logoff activity needs to be tracked must be added and configured in ADAudit Plus under Server Audit > Configured Server(s) > Workstations or Server Audit > Configured Server(s) > Member Servers, respectively. Workstation or member server licenses must be available for these machines.

• The following audit policies must be enabled on all target workstations or member servers via the Group Policy Management Editor (underComputer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies):

• Installing the ADAudit Plus agent on workstations can provide deeper insights into user logon and logoff behavior, especially in distributed environments.

• Configure sufficient event log retention on endpoints to prevent log overwriting before ADAudit Plus collects the data.

Steps to follow

1. Open the ADAudit Plus web console.

2. Log on using an account with appropriate access permissions.

3. In the top menu, click Active Directory.

4. On the left panel, expand the Local Logon-Logoff section to view the related report options.

5. Select one of the following based on your reporting requirements:

• Logon Duration

• This is a computer-based report that allows you to filter data by specific systems such as domain controllers, workstations, or member servers.

• Users Logon Duration on Computers

• This is a user-centric report that lets you filter by individual users, groups, or organizational units (OUs) to focus on specific identities.

Both reports will include comprehensive logon session data, such as the following:

• User Name

• Client Host Name (the machine where the user logged on)

• Logon Time

• Logoff Time

• Logon Duration

• Logon Type (e.g., interactive, RDP, or network)

Validation and confirmation

1.  Perform a test logon and logoff  :

1. Log on to a domain-joined workstation with a test user account.

2. Wait a few minutes, then log off from the same machine.

2. Check the report for accuracy  :

1. Go to Active Directory > Local Logon-Logoff and select Logon Duration or Users Logon Duration on Computers.

2. Filter by the user or workstation used in the test.

3. Confirm that:

• The logon and logoff times are listed.

• The duration was calculated correctly.

• The client hostname matches the machine used.

Tips

•   Monitor high-risk workstations separately.

• Automate the generation and delivery of daily or weekly logon duration reports for auditing or productivity tracking.

• Deploy the ADAudit Plus agent on endpoints where precise tracking is critical, especially in cases of inconsistent event logging.

Related topics and articles  

• How to find a user's last logon in ADAudit Plus