How do you track the login history for a specific user ID? That’s the question posed by TechRepublic member Linda. Here’s the take from Jake.
Turn on automatic tracking
Here’s the question Linda submitted: “Can you investigate if there is a way I can track the network logon times for a specific ID? If there is, how far back can we go? If this is something that is not currently in place, is it something we could turn on for an individual or for everyone?”
Auditing functionality is built right into Windows NT. If you have a Microsoft Windows NT Server, you can turn this feature on easily. Keep in mind, these procedures are very basic and are meant to familiarize you with Windows NT 4.0 Auditing. Auditing can be a resource hog, so please turn on events only when you need to track.
The following publication provides in-depth instruction concerning auditing inside Windows NT: Microsoft Windows NT 4.0 Security, Audit, and Control , by James G. Jumes (Editor), Coopers and Lybrand, Neil F. Cooper, Todd M. Feinman; 318 pages, Microsoft Press; ISBN: 157231818X. ($39.95 Softcover at Fatbrain.)
In general, auditing is a two-step process. First, the auditing feature from User Manager for Domains or User Manager must be initiated. Once auditing is turned on, the administrator must manually review the logs through Event Viewer (Start, Programs, Administrative Tools, Event Viewer).
Step one: Defining the audit policy
To set up auditing, you must be in the administrators group. Administrators and server operators by default can view and archive logs once auditing is on. As you set up auditing, you will see the capability to audit files and directories. However, this is only on an NTFS-formatted volume.
Follow this process to turn on auditing:
- Start User Manager for Domains
- From Policies, click Audit and the Audit dialog box appears.
- Click Audit these Events.
- Select Success and/or Failure for the events you want to monitor.
You can audit all kinds of things, including Events, Files, Directories, and even Printers. For example, as the administrator, you can see events such as logon, logoff, file and object access, use of user rights, user and group management, security policy changes, restart, shutdown, and system process tracking.
Step two: viewing events
Event Viewer provides information in three logs including system, security, and application. Here is a breakdown:
- The System Log contains errors, warnings, or info generated by Win NT.
- The Security Log contains information on success and/or failure of audited events.
- The Application Log contains errors, warnings, and information by programs such as office, e-mail, and other applications.
Launching the Event Viewer is simple. Just click Start; choose Programs; select Administrative Tools, and then select Event Viewer.
Auditing best practices: Microsoft’s recommendations
Once you’re familiar with how to use the auditing tools, you need to choose what events to monitor. Microsoft recommends auditing events that will provide you with meaningful information about your network. Here are some considerations.
- Every event you log uses valuable resources. This fact is very important because if you log something that you don't need, you are wasting CPU time!
- Audit the Everyone group instead of Users. Everyone is a system group that means the server assigns the members depending on their network activity. “Everyone” includes all users logged into the network. Following this process ensures that you are monitoring all users who are on the network.
- Set up a schedule to review Event Viewer Logs! Make this a part of your weekly process.
- Archive the logs on a regular basis.
The final scoop
As you can see, Auditing is fairly simple to set up. However, you must plan in advance because this functionality will stress the computer’s central processing unit. I wrote this article to provide a basic idea of Window’s NT auditing procedures. The rollout of auditing on your network should be planned thoroughly with the advice of network engineers and architects.
Remember that auditing can affect network performance. An effective audit procedure provides meaningful information about your network.
If you’d like to comment on this article or share your strategy for auditing NT user activity, please post a comment below or follow this link to write to Jake .