How to Track User Logon Session Time in Active Directory?

To track user logon session time in Active Directory, you can use the Logon/Logoff events recorded in the Security event log of domain controllers. Here are the steps to do this:

1. Open Event Viewer on your domain controller.
2. Navigate to Windows Logs > Security.
3. Filter the Security log to show only the Logon/Logoff events. To do this, click on the Filter Current Log button in the Actions pane, and then select the following options:
   • Event sources: Microsoft Windows security auditing.
   • Event IDs: 4624 (Logon) and 4634 (Logoff).
   • Keywords: Audit Success.
4. Click on the OK button to apply the filter.
5. Review the list of Logon/Logoff events to find the events for the user account that you want to track. The Logon event shows the time that the user logged on to the domain, while the Logoff event shows the time that the user logged off.
6. Calculate the session time by subtracting the Logon time from the Logoff time. You can use PowerShell to do this automatically. For example, the following PowerShell command calculates the session time for the user “jdoe” for the last 24 hours:

Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624,4634;StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Properties[5].Value -eq 'jdoe'} | ForEach-Object {$_.TimeCreated.ToString() + ' ' + $_.Properties[8].Value + ' ' + $_.Properties[5].Value} | Group-Object {$_.Substring(0,19)} | ForEach-Object {$_.Group | Sort-Object {[DateTime]$_.Substring(0,19)} | Select-Object -First 1, @{Name="Logoff";Expression={[DateTime]$_.Substring(0,19)}}, @{Name="Logon";Expression={[DateTime]$_.Group[-1].Substring(0,19)}} | Select-Object *, @{Name="SessionTime";Expression={$_.Logoff - $_.Logon}} | Format-Table -AutoSize

This command retrieves all Logon/Logoff events for the last 24 hours and filters them to show only events for the user “jdoe.” It then groups the events by the Logon time and calculates the session time for each session. The results are displayed in a table format, showing the Logon time, Logoff time, and session time for each session.

Note that the Logon/Logoff events recorded in the Security log are not always reliable and may not accurately reflect the user’s session time. In some cases, a user may remain logged on to the domain even if they are not actively using resources, which can skew the results. Additionally, some events may be missed or not recorded due to various reasons such as network connectivity issues, disk space limitations, or event log settings.