Highlights
- Learn the seven Windows event IDs that matter for AD logon auditing and why workstations record true logoffs.
- Build a parallelized PowerShell script that pulls logon history from every domain controller in seconds.
- Plan log retention with a sizing formula, GPO settings, and Windows Event Forwarding into a SIEM.
- Compare native auditing, third-party auditors, and FIDO2 prevention as three answers to one question.
Tracking user logon and logoff in Active Directory means combining Group Policy audit settings, the right Windows event IDs (4624, 4625, 4634, 4647, 4768, 4769, 4776), PowerShell at scale, log forwarding to a SIEM, and a retention strategy aligned with SOX, HIPAA, PCI DSS 4.0, NIS2, and DORA. Domain controllers issue Kerberos tickets but never observe session end, so workstation event forwarding is non-optional in any modern hybrid estate.
Three days. That's how far back most domain controller security logs go before overwriting themselves, leaving administrators blind when an account lockout, an insider incident, or a compromised credential investigation lands on their desk. Native Active Directory auditing was designed for static workstations and on-premises domains, not for RDS farms, VPN tunnels, hybrid identity, and SaaS sessions running in parallel. This guide walks each layer — from event 4624 on the domain controller to phishing-resistant FIDO2 authentication that removes most password-related noise from your audit pipeline at the source.
Native AD Logon Auditing: GPO Setup, Event IDs and Real Limits
Enabling Logon/Logoff Auditing via Advanced Audit Policy Configuration
Default audit logon settings on a fresh domain are too permissive for forensics and too quiet for compliance. Open the Default Domain Controllers Policy and go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff. Enable Success and Failure on Logon, Logoff, Account Lockout, and Special Logon. Pair it with Account Logon > Audit Kerberos Authentication Service and Audit Credential Validation to capture NTLM fallback attempts.
Event ID Reference (4624, 4625, 4634, 4647, 4768, 4769, 4776) and Why Domain Controllers Don't Record True Logoff Events
| Event ID | Meaning | Where logged |
|---|---|---|
| 4624 | Successful logon | DC + workstation |
| 4625 | Failed logon | DC + workstation |
| 4634 / 4647 | Logoff / user-initiated logoff | Workstation only |
| 4768 / 4769 | Kerberos TGT / service ticket | Domain controller |
| 4776 | NTLM credential validation | Domain controller |
Domain controllers issue Kerberos tickets but never see the session end, so true logoffs live on endpoints, not on the DC. Microsoft Learn's event 4624 reference documents the full schema and Logon Type codes that shift interpretation downstream.
PowerShell Scripts to Pull Logon History Across All Domain Controllers
Modern Get-WinEvent + FilterHashtable Script with Parallel Processing
Get-EventLog has been deprecated since PowerShell 5 and collapses on large forests. Use Get-WinEvent with a FilterHashtable and query every domain controller in parallel:
powershell
$DCs = (Get-ADDomainController -Filter *).HostName
$DCs | ForEach-Object -Parallel {
Get-WinEvent -ComputerName $_ -FilterHashtable @{
LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddDays(-7)
} | Select TimeCreated, MachineName, @{n='User';e={$_.Properties[5].Value}}
} -ThrottleLimit 10 | Export-Csv .\logons.csv -NoTypeInformation
Add try/catch around each remote call to handle unreachable DCs without aborting the run.
Correlating 4624/4634 Pairs and Tracking RDS/VPN Sessions
True session duration requires pairing each 4624 with its matching 4634/4647 by LogonID (Properties[7]). For RDS, query Microsoft-Windows-TerminalServices-LocalSessionManager/Operational (IDs 21, 23, 25) on session hosts. For VPN, parse RRAS or your concentrator logs and join on username plus timestamp.
Centralizing and Retaining Logon Logs Without Losing Data
Default Security log caps (often 128 MB) explain why admins on Spiceworks repeatedly report "logs only go back 3 days." Retention must be engineered, not assumed.
Sizing Formula and GPO Settings to Stop Logs from Overwriting
Use this formula: events/user/day × users × retention days × 1.5 KB = required log size. For 500 users generating ~80 events/day over 90 days, plan ~5.4 GB per DC. Configure via Computer Configuration > Policies > Windows Settings > Security Settings > Event Log: set max size, choose Archive the log when full rather than overwrite, and monitor disk pressure on domain controllers.
Windows Event Forwarding (WEF) + SIEM/Splunk Setup for Hybrid AD + Entra ID Environments
Deploy a WEF collector, push a GPO defining the subscription manager URL, and filter event IDs 4624/4625/4634/4647/4776 via XPath. Forward to Splunk through a heavy forwarder, then ingest Entra ID sign-in logs via the Graph API to correlate hybrid identities in one pane.
From Detection to Prevention: How FIDO2 and Passwordless Shrink Your Audit Surface
Detection scales linearly with password noise. The Verizon 2025 DBIR puts credential abuse in 22% of all breaches, and stolen credentials plus phishing combined drive past half of human-element incidents. Remove the password and that vector collapses at the source: brute force, spraying, and NTLM downgrade attempts disappear. Your SOC stops triaging 4625 storms and starts hunting real anomalies.
Before/After SIEM Volume and MITRE ATT&CK Pattern Recipes (T1078, T1110, T1558)
On a 1,000-user estate, expect 4625/4776 events to drop by an order of magnitude after a Hideez FIDO2 rollout. Hardware-bound credentials neutralize T1110 (brute force), T1558 (Kerberoasting), and most T1078 (valid accounts) variants because the private key never leaves the security key.
Compliance Mapping: SOX, HIPAA, PCI DSS 4.0, NIS2 and DORA
PCI DSS 4.0 §8.4 and NIS2 Article 21 explicitly require phishing-resistant authentication. FIDO2 satisfies both while producing tamper-evident logon records auditors accept.
DORA Article 9 extends the same expectation to EU financial entities, and NIST SP 800-63B defines the AAL3 assurance level all five frameworks ultimately reference.
Decision Framework: Native Auditing vs. Third-Party Auditor vs. Authentication-Layer Solution
Choosing between native AD auditing, a dedicated auditor, and an authentication-layer control isn't a binary decision. Each layer answers a distinct question: what happened, what's happening now, and what should never happen at all.
Scoring Matrix: Cost, Hybrid Coverage, Real-Time Alerting and Prevention vs. Detection
| Criterion | Native AD | Third-Party Auditor | Hideez (Auth Layer) |
|---|---|---|---|
| Cost | Free | $3-8/user/year | Per-key + license |
| Hybrid Entra ID coverage | Partial | Variable | Full |
| Real-time alerting | No | Yes | N/A (prevents) |
| Approach | Detection | Detection | Prevention |
When ADAudit Plus, UserLock or Netwrix Is Enough — and Why Hideez Complements Them
If your priority is forensic evidence and SOC 2 reporting, a third-party auditor covers the detection layer well. Hideez doesn't replace them; it removes the credential-based events they spend cycles triaging in a layered architecture, leaving the auditor's rules to focus on real anomalies instead of password noise.
Hideez replaces the credential attack surface with phishing-resistant FIDO2 logins that auditors accept and SOCs love. Book a demo to see how it fits your AD or hybrid Entra ID estate, or become a Hideez partner to deliver the same benefit to your customers.
Frequently Asked Questions
Why doesn't Active Directory record true logoff events on the domain controller?
The Kerberos ticket model authenticates the user once, then the session lives on the workstation. The DC issues a TGT but has no awareness of when the user closes their access session. Logoff events (4634, 4647) are written locally on the endpoint, not centrally. To capture them, forward workstation logs via Windows Event Forwarding to a collector or SIEM.
How can I get AD user logon history with PowerShell across all domain controllers?
Use Get-WinEvent -FilterHashtable against every DC returned by Get-ADDomainController -Filter *, with ForEach-Object -Parallel for scale. Filter on logon event ID 4624, export to CSV, then correlate with 4634 to compute true session duration.
Logon auditing vs. passwordless authentication: which actually reduces credential-based risk?
Auditing detects after the fact. FIDO2 hardware authentication eliminates the attack surface, neutralizing brute force, phishing and password spraying at the root.
