Active Directory Login Monitor
The Active Directory Login Monitor watches the Security Event Log and records logins to a database. It can also alert for certain login events, and run reports later to see a history of logins.
The monitor is powerful, yet simple to setup. All events get written to the database so you have full reporting capability later. To alert on specific events, check the
box next to the category.
Login Event Categories
There are many types of logins and similar events that the monitor will watch. These events are grouped into the following categories:
Note: 3-digit Event IDs are generally for Windows 2003 and earlier. In addition, some Event IDs are listed in multiple categories. In that case, information within the event
is checked to determine which category the event should be assigned to.
|Category||Included Event IDs|
|Logoff||538, 551, 683, 4634, 4647, 4779|
|Logon Failed ||529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 675, 4625, 4768, 4771, 4772, 4825|
|Administrator Logon||576, 4672|
|Logon Suceeded - Interactive (Logon Type 2 - Console)||528, 540, 4624|
|Logon Suceeded - Interactive - Cached Credentials (Logon Type 11)||528, 540, 4624|
|Logon Suceeded - Remote Interactive (Logon Type 10 - RDP, etc)||528, 540, 4624|
|Logon Suceeded - Remote Interactive - Cached Credentials (Logon Type 12 - RDP, etc)||528, 540, 4624|
|Logon Suceeded - Unlock Workstation (Logon Type 7)||528, 540, 4624|
|Logon Suceeded - Unlock Workstation - Cached Credentials (Logon Type 31)||528, 540, 4624|
|Logon Suceeded - Network (Logon Type 3)||528, 540, 4624|
|Logon Suceeded - Batch (Logon Type 4)||528, 540, 4624|
|Logon Suceeded - Service (Logon Type 5)||528, 540, 4624|
|Logon Suceeded - Network Clear Text (Logon Type 8)||528, 540, 4624|
|Logon Successful - Different Credentials||528, 540, 4624|
Other Security Categories
In addition to login tracking, there are other events that are tracked that involve security, such as user and group changes, accounts and consoles locked, etc.
|Category||Included Event IDs|
|Console Locked||4800, 4802|
|Console Unlocked||4801, 4803|
|Group Created||631, 635, 658, 694, 4727, 4731, 4754, 4783, 4790|
|Group Deleted||634, 638, 662, 693, 696, 4730, 4734, 4758, 4789, 4792|
|Group Changed||639, 641, 659, 668, 695, 4735, 4737, 4755, 4764, 4784, 4791|
|Member Added To Group||632, 636, 660, 689, 4728, 4732, 4756, 4785|
|Member Removed From Group||633, 637, 661, 690, 4729, 4733, 4757, 4786|
|Security Alert (DoS, replay, and IPsec events)||4646, 4649, 4976, 4977, 4978|
|User Account Created||624, 4720|
|User Account Deleted||630, 4726|
|User Account Changed||608, 609, 642, 685, 4704, 4705, 4738, 4781|
|User Account Enabled||626, 4722|
|User Account Disabled||629, 4725|
|User Account Locked Out||644, 4740, 6279|
|User Account Unlocked||671, 4767, 6280|
|User Credentials Change Succeeded||627, 628, 4723, 4724, 5377|
|User Credentials Change Failed||627, 4723, 4724|
There are some events, such as failed login attempts, that you only care about if there are a lot of them in a short amount of time (indicating some sort of break in attempt).
The Suppression setting lets you configure a threshold for how many have to happen before an alert is fired.
If there are specific accounts, workstations, etc, that you don't want to be alerted about, you can exclude them, or only include specific targets. The filter text is checked against the entire Event Log Event text, so it can target any part of the event.
To see specifically which Event IDs are included in each category, scroll to the right and there is Definition column. Hover the mouse over any row to see the Event IDs in that category.
Windows has many types of logins, including:
- Normal - typical user logins
- Machine Accounts - this is when Windows itself performs a login to a different computer
- Windows Manager/DWM - newer versions of Windows have Desktop Windows Manager that logs in along side each user
- Anonymous Logons - usually to access publicly available resources
- NT AUTHORITY\SYSTEM - these usually represent the operating system requesting access to local resources
By default, the non-normal login types are ignored, but you can choose to alert on them if they are of a category that is being monitored.
There are a few different types of reports available that make it easy to find out what login activity happened.
The Login Events report is especially flexible with many options for selecting the events you want to see, as shown below.
Not all fields make sense for all event types. So you would just fill in the details you care about and let the report find the appropriate events for you.
Standard Configuration Options
Like all monitors, this monitor has standard buttons on the right for Adding Actions,
setting Advanced Options and setting the Monitor Schedule.