Javascript must be enabled to download our products and perform other essential functions on the website.

Buy Now Download Free Trial

Active Directory Login Monitor

The Active Directory Login Monitor watches the Security Event Log and records logins to a database. It can also alert for certain login events, and run reports later to see a history of logins.

The monitor is powerful, yet simple to setup. All events get written to the database so you have full reporting capability later. To alert on specific events, check the box next to the category.

Login Event Categories

There are many types of logins and similar events that the monitor will watch. These events are grouped into the following categories:

Note: 3-digit Event IDs are generally for Windows 2003 and earlier. In addition, some Event IDs are listed in multiple categories. In that case, information within the event is checked to determine which category the event should be assigned to.

CategoryIncluded Event IDs
Logoff538, 551, 683, 4634, 4647, 4779
Logon Failed 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 675, 4625, 4768, 4771, 4772, 4825
Administrator Logon576, 4672
Logon Suceeded - Interactive (Logon Type 2 - Console)528, 540, 4624
Logon Suceeded - Interactive - Cached Credentials (Logon Type 11)528, 540, 4624
Logon Suceeded - Remote Interactive (Logon Type 10 - RDP, etc)528, 540, 4624
Logon Suceeded - Remote Interactive - Cached Credentials (Logon Type 12 - RDP, etc)528, 540, 4624
Logon Suceeded - Unlock Workstation (Logon Type 7)528, 540, 4624
Logon Suceeded - Unlock Workstation - Cached Credentials (Logon Type 31)528, 540, 4624
Logon Suceeded - Network (Logon Type 3)528, 540, 4624
Logon Suceeded - Batch (Logon Type 4)528, 540, 4624
Logon Suceeded - Service (Logon Type 5)528, 540, 4624
Logon Suceeded - Network Clear Text (Logon Type 8)528, 540, 4624
Logon Successful - Different Credentials528, 540, 4624

Other Security Categories

In addition to login tracking, there are other events that are tracked that involve security, such as user and group changes, accounts and consoles locked, etc.

CategoryIncluded Event IDs
Console Locked4800, 4802
Console Unlocked4801, 4803
Group Created631, 635, 658, 694, 4727, 4731, 4754, 4783, 4790
Group Deleted634, 638, 662, 693, 696, 4730, 4734, 4758, 4789, 4792
Group Changed639, 641, 659, 668, 695, 4735, 4737, 4755, 4764, 4784, 4791
Member Added To Group632, 636, 660, 689, 4728, 4732, 4756, 4785
Member Removed From Group633, 637, 661, 690, 4729, 4733, 4757, 4786
Security Alert (DoS, replay, and IPsec events)4646, 4649, 4976, 4977, 4978
User Account Created624, 4720
User Account Deleted630, 4726
User Account Changed608, 609, 642, 685, 4704, 4705, 4738, 4781
User Account Enabled626, 4722
User Account Disabled629, 4725
User Account Locked Out644, 4740, 6279
User Account Unlocked671, 4767, 6280
User Credentials Change Succeeded627, 628, 4723, 4724, 5377
User Credentials Change Failed627, 4723, 4724

Configuration Options


There are some events, such as failed login attempts, that you only care about if there are a lot of them in a short amount of time (indicating some sort of break in attempt). The Suppression setting lets you configure a threshold for how many have to happen before an alert is fired.


If there are specific accounts, workstations, etc, that you don't want to be alerted about, you can exclude them, or only include specific targets. The filter text is checked against the entire Event Log Event text, so it can target any part of the event.


To see specifically which Event IDs are included in each category, scroll to the right and there is Definition column. Hover the mouse over any row to see the Event IDs in that category.

Non-Human Accounts

Windows has many types of logins, including:

  • Normal - typical user logins
  • Machine Accounts - this is when Windows itself performs a login to a different computer
  • Windows Manager/DWM - newer versions of Windows have Desktop Windows Manager that logs in along side each user
  • Anonymous Logons - usually to access publicly available resources
  • NT AUTHORITY\SYSTEM - these usually represent the operating system requesting access to local resources

By default, the non-normal login types are ignored, but you can choose to alert on them if they are of a category that is being monitored.


There are a few different types of reports available that make it easy to find out what login activity happened.

The Login Events report is especially flexible with many options for selecting the events you want to see, as shown below.

Not all fields make sense for all event types. So you would just fill in the details you care about and let the report find the appropriate events for you.

Standard Configuration Options

Like all monitors, this monitor has standard buttons on the right for Adding Actions, setting Advanced Options and setting the Monitor Schedule.

PA Server Monitor

Help Map