🎉 Our Microsoft 365 Reporting & Management Tool is available in Marketplace 🚀
Active Directory

How to Track Domain Controllers Logon Activity in Active Directory

Domain controllers are critical to Active Directory, responsible for authenticating users, enforcing Group Policies, and controlling access across the domain. Therefore, any privileged users who gain access to a DC can create fake authentication tickets, backdoor admin accounts, modify security policies, and more. Hence, it is essential to monitor the sign-ins into a DC to prevent such threats early. This guide explains how to track domain controller logon history in Active Directory and identify suspicious access effectively.

Microsoft 365 tools
Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Audit Domain Controller Logon History in Active Directory Using Event Viewer

Active Directory Permission Required
Event Log Readers Least Privilege
Administrators Most Privilege
  • Open Server Manager and navigate to Tools » Event Viewer
  • From the left pane, navigate to Windows Logs » Security, and select Filter Current Log from the Actions pane.
  • In the filter window, go to the <All Event IDs> field and enter 4624 and 4625 as comma separated values.
  • To retrieve logon events of domain controllers, enter its hostname in the Computer(s) field and click OK.
  • Now, the Event Viewer will display all the logon events of the specified domain controllers. You can double-click on any event to open the Event Properties page and get detailed logon information like account name, logon type, logged on time, and more.
Audit Domain Controller Logon History in Active Directory Using Event Viewer

Get Active Directory Domain Controllers Sign-ins Using PowerShell

Active Directory Permission Required
Event Log Readers Least Privilege
Administrators Most Privilege
  • The manual method to retrieve DC logon events using Event Viewer works. However, it requires you to manually enter the DC names every time you need to check DC logon history, which makes the process time-consuming.
  • To simplify this process, you can use PowerShell to retrieve and export logon events from all domain controllers in your environment.
  • To get started, import the Active Directory PowerShell module using the following cmdlet. 
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Then, replace <OutputCSVFilePath> with the location where you want to save the logon report and run the cmdlet below to get the logon events report of domain controllers.
  • Windows PowerShell Windows PowerShell 
     Get-ADDomainController -Filter * | ForEach-Object {
    $DCName = $_.HostName
    Get-WinEvent -ComputerName $DCName -FilterHashtable @{
        LogName = 'Security'
        Id = 4624, 4625
    } | Select-Object `
        @{Name='DomainController'; Expression={$DCName}},
        TimeCreated,
        Id,
        @{Name='LogonType'; Expression={$LogonTypes=@{2='Interactive';3='Network';4='Batch';5='Service';7='Unlock';8='NetworkCleartext';9='NewCredentials';10='RemoteInteractive (RDP)';11='CachedInteractive'}; if($LogonTypes.ContainsKey($_.Properties[8].Value)){$LogonTypes[$_.Properties[8].Value]}else{$_.Properties[8].Value}}}
} | Export-Csv "<OutputCSVFilePath>" -NoTypeInformation
  • This cmdlet exports the successful and failed logon events of all domain controllers in a domain, along with details such as DC hostname, logon time, username, logon type, and event ID.
Get Active Directory Domain Controllers Sign-ins Using PowerShell
AdminDroid Active Directory Reporter

Identify and Mitigate Anonymous Logon Activity in Active Directory Domain Controllers

AdminDroid’s Active Directory reporting tool simplifies logon activity monitoring by offering complete visibility into all user logons, server logins, DC sign-ins, remote logons, and more. For domain controller monitoring, the tool helps admins track successful and failed DC logins, identify unauthorized sign-in attempts, and detect suspicious activity before it compromises the environment. Below are the key features of AdminDroid that strengthen domain controller logon monitoring.

Monitor Audit Log Clearing Events on DCs to Detect Log Tampering

Check all audit log clearing events on domain controllers to identify who cleared logs, detect attempts to hide login activity on domain controllers, and initiate appropriate remediation steps.

Track Domain Controller Logon Failures for Security Insights

Review the failed DC logons report in AdminDroid to detect suspicious login attempts targeting core systems that manage your Active Directory environment.

Monitor Daily Domain Controller Logins to Find Unusual Spikes

Get the daily logon count across domain controllers to identify abnormal authentication patterns, including logons on unexpected DCs and logons during off-hours that may indicate potential abuse.

Detect Inactive Domain Controllers Using Last Logon Activity

Use AdminDroid’s easy filter in the server last logon report to identify inactive domain controllers and investigate whether the lack of logons is caused by authentication patterns, site configuration, or connectivity issues.

Check Logon Restrictions on Domain Controllers to Review User Access

Audit user logon restrictions to find which users are permitted or restricted from signing into domain controllers and ensure DC access is limited to authorized Active Directory users only.

Get Instant Notification for Domain Controller Shutdown Events

User AdminDroid's built-in alert policy for DC shutdown events to get notified the moment a domain controller goes offline, before sign-in failures and replication issues impact your Active Directory domain.

AdminDroid offers extensive Active Directory reports to track domain controller logon events across your environment. Beyond this, it helps you set alerts for risky user sign-ins, audit critical DC policy changes, automate computer management tasks, and more to maintain the security and operational health of your DCs.

Explore a full range of reporting options
Download Live Demo

Important Tips

Patch your domain controllers regularly in Active Directory to prevent attackers from exploiting outdated DCs and gaining control of your domain.

Enforce Kerberos authentication on domain controllers for logins, as legacy protocols like NTLM are being deprecated and remain vulnerable to credential-based attacks.

Implement a tiered administration model in Active Directory to limit logons to domain controllers and reduce the risk of lateral movement from compromised low-tier devices.

Common Errors and Resolution Steps

Here are the possible errors and troubleshooting hints while retrieving logon history of domain controllers in Active Directory.

Error Get-winEvent : The RPC server is unavailable

This error occurs in PowerShell when you try to retrieve login history, but the domain controller is not reachable. It happens due to firewall restrictions, incorrect domain controller name, network issues, or if the server does not exist.

Fix First, verify whether the domain controller exists in your domain and ensure the correct name is provided. If everything is correct, check the following configurations:
  • Ensure Remote Event Log Management is enabled in the firewall to allow remote access.
  • Make sure Remote Procedure Call (RPC) service is running on the target Domain Controller.
  • Test network connectivity using ping and check DNS resolution of the domain controller.

Error Get-ADDomainController : Cannot find directory server with identity: <DCName>

When checking the currently logged-in users on a domain controller, you may encounter this error if the specified DC name is incorrect or does not exist in Active Directory.

Fix Ensure that the specified domain controller exists in Active Directory and also verify that the correct domain controller name is provided using the PowerShell cmdlet below. 
Get-ADDomainController -Filter *

Error Set-ADUser : The term 'Set-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when trying to restrict DC sign-ins without installing and/or importing the Active Directory PowerShell module in the system.

Fix Before running the cmdlet to restrict logons to domain controllers, install the Active Directory PowerShell module and import it using the following command: 
Import-Module ActiveDirectory
Active Directory
Frequently Asked Questions

Track DC Logon Activity Early to Detect and Prevent Domain Compromise Risks!

How to identify the current logged-on user in an Active Directory domain controller?
How to limit domain controller logons to specific users in Active Directory?
How to ensure privileged users can log on only to domain controllers in Active Directory?
What are the Windows event IDs in Active Directory to track logons on domain controllers?

1. How to identify the current logged-on user in an Active Directory domain controller?

Imagine you are about to perform maintenance and need to shut down or demote a domain controller. Before proceeding, it is important to check if any user or administrators currently has an active session on the DC. This helps prevent unexpected disruptions, avoid interrupting ongoing tasks, and ensures maintenance can be performed safely.

To identify the users currently logged on to the domain controller, you can run the PowerShell snippet below.

$DCs = Get-ADDomainController -Identity "<DCHostName>" 
foreach ($DC in $DCs) { 
    Write-Host "Checking sessions on: $($DC.HostName)" -ForegroundColor Cyan 
    if (Test-Connection -ComputerName $DC.HostName -Count 1 -Quiet) { 
        try { 
            Invoke-Command -ComputerName $DC.HostName -ScriptBlock { quser } -ErrorAction Stop 
        } 
        catch { 
            Write-Host "WinRM issue on $($DC.HostName): $_" -ForegroundColor Yellow 
        } 
    } 
    else { 
        Write-Host "DC not reachable: $($DC.HostName)" -ForegroundColor Red 
    } 
}
find-current-logged-on-users-in-dcs

This cmdlet uses the quser command to query active user sessions on the domain controller. It retrieves privileged users currently logged on either locally (interactive logon) or through Remote Desktop (RDP) sessions.

2. How to limit domain controller logons to specific users in Active Directory?

Domain controllers play a vital role in Active Directory by managing authentication, controlling user access, and maintaining overall domain security. If these systems are granted unrestricted logon access, it can lead to unintended configuration changes, accidental deletion of important objects, and other security issues. To prevent such risks, it is important to allow only specific users to log on to domain controllers. This can be achieved using Group Policy Objects (GPOs), which enforce consistent security settings across the domain. The following GPO restrictions can be applied to restrict logons to only authorized users:

  • Allow log on locally – Controls who can log on interactively at the domain controller.
  • Access this computer from the network – Defines which users can access domain controllers.
  • Log on as a batch job – Specifies which user accounts can run scheduled tasks on domain controllers.
  • Log on as a service – Determines which accounts can run services on domain controllers.
  • Allow log on through Remote Desktop Services – Specifies which users can connect to domain controllers via RDP.

To implement these restrictions, first create a security group containing the users who should be granted access to domain controllers. Once the group is created, follow the steps below to apply the required GPO settings.

Step 1: Create and link the GPO

  • Open Server Manager and navigate to Tools » Group Policy Management.
  • From the left console tree, right-click the Domain Controllers OU and select Create a GPO in this domain, and Link it here.
  • In the New GPO dialog box, enter a descriptive name for the policy and click OK. Once created, right-click it and select Edit.

Step 2: Configure the logon restrictions

  • In the Group Policy Management Editor, navigate to Computer Configuration » Policies » Windows Settings » Security Settings » Local Policies » User Rights Assignment.
  • Right-click ‘Allow log on locally’ and select Properties.
  • Enable Define these policy settings, and click Add User or Group.
  • Type the name of the group you created, click OK, then click Apply, confirm the settings, and click OK.
  • Repeat the same process for the remaining policies to enforce the required logon restrictions.
restrict-dc-logon-to-specific-users

By default, the GPO applies to all domain controllers in the OU. If you want to restrict logons on specific domain controllers only, use Security Filtering in the GPO to target individual DC computer accounts.

3. How to ensure privileged users can log on only to domain controllers in Active Directory?

Let’s say you have restricted DC access to specific privileged users using Group Policy (GPO). Now, only those users can sign in and access DCs. But imagine those same users are also allowed to sign into standard workstations or other low-tier computers in your environment. When this happens, their highly privileged credentials are left exposed in the memory of those systems. If an attacker gains access to one of these low-tier systems, they can easily harvest the exposed administrative credentials and gain full control of your domain controllers.

Therefore, it is recommended to isolate these privileged accounts, ensuring that the users who can access your DCs are restricted from signing into lower-tier systems entirely.

Limit privileged user access to specific domain controllers using ADUC console

  • Open Active Directory Users and Computers console.
  • Right-click the user account you want to restrict and select Properties.
  • Navigate to the Account tab and click Log On To.
  • Select The following computers, enter the name of the domain controllers, and select Add. Then, click OK
  • Click Apply and OK to save the changes.
limit-user-access-to-dc-in-active-directory

Restrict privileged user accounts to log on to domain controllers using PowerShell

The above method using the ADUC console requires you to navigate to each user account individually, which can be time consuming and inefficient when managing multiple accounts. Instead, you can use the cmdlet below to restrict a privileged user account to specific domain controllers in a single step.

Set-ADUser -Identity "<AdminUsername>" -LogonWorkstations "<DC01>,<DC02>"

Replace <AdminUserName> with the logon name of the admin account you want to restrict, and <DC01>, <DC02> with the names of the domain controllers you want to allow access to.

Tip: You can use these methods to restrict user access to any computers, including workstations and member servers.

4. What are the Windows event IDs in Active Directory to track logons on domain controllers?

Domain controllers generate different logon-related Event IDs based on the authentication and sign-in activity performed by users and systems. Understanding these Event IDs helps admins quickly identify specific logon activities without reviewing all events manually. For example, to identify users remotely accessing the domain controller, you can directly monitor Event ID 4624 with the appropriate logon type and Logon DC filter, instead of analysing every logon event. The following are the key Event IDs to monitor logons on domain controllers:

Event IDMessageDescription

4624

An account was successfully logged on

Tracks successful logons to the computers by a user account

4625

An account failed to log on

Records failed logon attempts due to incorrect credentials or access denial

4634

An account was logged off

Captures the termination of a logon session on the computer

4647

User initiated logoff

Logged when a user manually signs out of an interactive or Remote Desktop (RDP) session

4648

A logon was attempted using explicit credentials

Records logons where credentials are explicitly specified, common in scheduled tasks or Run As commands

4768

A Kerberos authentication ticket (TGT) was requested.

Generated when a user logs on and the domain controller validates the credentials and issues a Kerberos Ticket Granting Ticket (TGT)

4672

Special privileges assigned to new logon

Records logons by accounts that have administrative or other sensitive privileges

4776

The computer attempted to validate the credentials for an account

Recorded when credential validation during a logon is performed using NTLM authentication

4778

A session was reconnected to a Window Station

Captures a user reconnecting to an existing Terminal Services (RDP) session, switching to an existing desktop, or reconnecting to a virtual Hyper-V host

4779

A session was disconnected from a Window Station

Indicates a user disconnecting from an existing Terminal Services (RDP) session, switching away from an existing desktop, or disconnecting to a virtual Hyper-V host

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs Customer Stories
All Guides 99+
Active Directory
How to Track Domain Controllers Logon Activity in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo