Link to home
Start Free TrialLog in
Avatar of jbartleydcc

asked on

HOw to tell when someone logged into their profile.

We are running a Windows 2003 server environment and our agents have windows xp on their stations with roaming profiles.  The Managers want to be able to check and see when an agent logged into their profile.  I don't know how to check this or how to set it up so that we can check this in the future.

Any ideas?
Avatar of tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

The only way of knowing is if you had auditing enabled on all your Domain Controllers, and it MUST have been enabled prior to the dates which you wish to check the logins back to. In most environments, you will find that the auditing events necessary are disabled, because they generate many events in the Security logs of your Domain Controllers, and having the event logging can cause the logs to fill up quickly.

You can check the Security logs of your DCs anyway - but it would mean checking the logs of every DC on the network, something which will be unreasonable to do time-wise if you have more than 1 or 2 DCs on the network. You're looking for Success or Failure audits (indicating Successful or Failed logins, respectively) with the type of events being Account Logon or Logon/Logoff events. Again, what you see logged here is what is configured in the auditing policy to be logged - for example, it could be configured to only log Failed Logins, not successful logins.

Avatar of jbartleydcc


We only have 2 DC and they want to see if an agent logged in when he says he did.  People always try to say they forgot to clock in but that they were here and working.  Could you direct me as to how to turn this on and if there is a way to set a max size that the log can go to and then start writting over it again so that it doesn't fill the server?

You need to enable Auditing in the Default Domain Controllers Policy, which is part of Group Policy. So, fire up Group Policy Management, and then browse to <your domain>, Domain Controllers. Right-click the Default DC policy and choose Edit.

In the policy editor, navigate to Computer Settings > Windows Settings > Local Settings > Audit Policy. Here, you will notice a set of Audit policies. Of interest to us are the 'Account Logon' and 'Logon' Events. You can double-click each of these and check to log both Success, Failure, or one of these. I'd suggest in your case you go for 'Success' - no need to log Failure logins as the events it will log are not appropriate to the purpose of this exercise.

That will replicate to each DC automatically. You would then need to go to each DC, go to Event Viewer and then view the Properties on the Security Event Log. Choose the option to 'Overwrite events automatically, oldest first' (words to that effect). I'd suggest setting the Event Log Size to either 1024000 KB or 2048000 KB (1 - 2 GB). This will allow sufficient space for logging these events, and then it will overwrite the oldest events as necessary.

The last step is to wait for replication to take place, then login to a PC, go back to the DC and look for the login event being recorded.

Once you have it working, I suggest you play with the 'Account Logon' and 'Logon' Audit Policies. You may find that one or the other will record the login attempts, and that you can turn one of them straight off, as it will give you rubbish which you don't need. You can't test this though without turning one off - once you know this works - then going and logging in somewhere and checking the event is still logged. If not, turn the policy you switched off back on.

And remember, you need to check the Security log (and change the Security log size settings etc.) on BOTH DCs.

Awesome!  Thanks.  I'm going to set this up tonight!
Avatar of Steven Wells
Steven Wells
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Would this also work if the person only "locks" their PC at the end of the day? They never really logoff if they are locking their pc.
jasgot - No, 'locking' the PC is completely different to a full logon/logoff. Depending on network configuration, when the person 'unlocks' it, it may log a Logon event, but no logoff events are ever logged - whether they lock it or do an actual logoff/shutdown. Out of the box, Locking a PC and then unlocking it does not produce any events.

Okay, so I think the only way to record a logon event in the morning is to use GP to force a logoff at the end of another policy determining the Logon Hours.