Thursday, 7 November 2013

Event ID 4634 logoff - An account was logged off

    In this article I am going to explain about the Active Directory user's Logoff  Event ID 4634, how to enable this event via group policy, how to enable this event via auditpol, and how to track user's logon duration from logon 4624 and logoff 4634 events.

Refer this article Tracking User Logon Activity using Logon and Logoff Events to know about how to track user's logon duration from logon 4624 and logoff 4634 events.

Summary:

  1. Event ID 4634 Log Source
  2. How to enable Logoff event 4634 through Group Policy
  3. How to enable Logoff event 4634 using Auditpol
  4. How to stop/disable logoff event 4634

Event ID 4634 Log Source

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/5/2013 2:28:53 PM
Event ID:      4634
Task Category: Logoff
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myPC.myDomain.com
Description:
An account was logged off.

Subject:
 Security ID:  SYSTEM
 Account Name:  myPC$
 Account Domain:  myDomain
 Logon ID:  0x1F759B

Logon Type:   3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

How to enable Logoff event 4634 through Group Policy

1. Open Group Policy Management Console by running the command gpmc.msc

2. Expand the domain node,  then right-click on the Default Domain Policy, and click Edit option

Event ID 4634


3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).

4. Navigate to the right side pane, select the policy Audit logon events, and set the success audit value.

Enable Event ID 4634 logoff - An account was logged off


5. In Windows 7/Server 2008 R2 and later versions, you can enable Event ID 4634 also through Advanced Audit Policy Configuration.  Expand the Computer Configuration, and go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

6. Expand this node, go to Logon/Logoff (Audit Polices-> Logon/Logoff ), then select the Setting
Audit Logoff, and set its value as Success


Enable Event ID 4634


8. Run the command GPUpdate /force to apply this setting in all the all the Computers


How to enable Logoff Event ID 4634 using Auditpol

     Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

   Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable audit Event ID 4634 by using the following command
Auditpol /set /subcategory:"Logoff" /success:enable

How to stop/disable Event ID 4634

You can disable success audit Event ID 4634 by using the following command
Auditpol /set /subcategory:"Logoff" /success:disable
You can also stop this event by removing the success setting from the GPO in the setting path  Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Polices->Logon/Logoff->Audit Logoff.

 Note: You need to refresh/update GPO for every change by running the command GPUpdate/force.

Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment