How to determine if a user authenticated to Active Directory? (4361458)

Please note, a logon and an Authentication are not the same thing. When a user logs on to a machine for the first time that day, there is a logon event recorded on the machine that they entered their username and password on, and there is a Kerberos authentication event logged on the DC that processed the users authentication to Active Directory.

If you are trying to determine where or when a user logged on to a workstation or member server, you will need to deploy the Workstation Logon Audit Agent as per the following KB article:

https://support.quest.com/kb/156640

For AD Authentication events, AA has a predefined Event Definition: "Kerberos authentication ticket (TGT) was registered". This Event Definition is disabled by default due to the large number of "Kerberos authentication ticket (TGT) was requested" events (event ID 4768) that get logged on the DCs daily. Enabling this Event Description will allow AA to report on when a user authenticated to AD (Event ID 4768), however the AA database will most likely begin to grow very fast with this Event Description enabled. There is no way to determine how fast or how many more records will be created as each environment is different.

If this Event Description is enabled, it is highly recommended to closely monitor the database size to ensure database growth does not become an issue.

To create Alerts for these events:

1. Expand Auditing & Alerting
2. Select Event Definitions
3. Scroll down, right click "Kerberos authentication ticket (TGT) was registered" and select Enable
4. Select Alerts
5. Create a new alert using the "Kerberos authentication ticket (TGT) was registered" for the Event Definition

To create an Audit Report for these events:

1. Ensure the "Kerberos authentication ticket (TGT) was registered" Event Definition is enabled as per steps 1-3 above
2. Expand Auditing & Alerting
3. Select Audit Reports
4. Create a new report specifying 4768 for the Event Log ID's filter