How to track Active Directory login / logout?

Question

How to track Active Directory login / logout?

I am writing a simple C # desktop application that displays a line of text in a text box whenever someone logs in or disables Active Directory. It is designed to run on the same computer as AD under Windows Server 2008 and Windows Server 2003. So far, it’s so good that for S2008 I managed to start using ManagementEventWatcher when an event is fired with (EventCode = 4624 OR EventCode = 4634)

Here is the WMI request I'm currently using:

 SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance isa "Win32_NTLogEvent" AND (TargetInstance.EventCode = '4624' OR TargetInstance.EventCode = '4634')

and then I parse eventArgs.Properties["TargetInstance"].Properties["Message"] user search and client IP address.

It is strange that even when a user logs out, I still get only one event with EventCode 4624. What happens to event 4634? How to catch the exits?

(I am also looking for a workaround for SU: How to get event information in an application launched by the task scheduler? )

+4

c # windows-server active-directory event-log

Tom Nov 17 '10 at 8:33

source share

2 answers

Tom · Answer 1 · 2010-11-18T08:29:13+0000

The Windows Server 2008 machine began to behave as soon as after several hours of operation. The problem has been fixed. This is just a guess, but it may be caused by an attempt to run my application on the S2008 machine too many times and with too many errors, ruining the configuration of the operating system.

Amit kumawat · Answer 2 · 2015-12-18T07:50:11+0000

You can use the system log and log events. Each action in the system is controlled by the Windows operating system and is available in event logs.

You can use .Net classes to get these saved events. how to receive system events

 EventLog log = new EventLog("System");

How to track Active Directory login / logout?

More articles: