I'm curious to truely log a person's logon's and logoff's what event ID codes would one need to monitor? Throughout the day, I know it is not abnormal to have 50, 60, 70 logon and logoff's in a days time i.e. Event ID: 528, 540 and 538, but not all of these are from the user alone, some of these entries are caused by the network, system ect....
How can you truely tell though if through user logon/logoff intervention that person is logging in or logging off of their system, something that would prove without a shadow of a doubt electronically that they are in the building physically logging and logging off their system. What event ID codes would signify this?
Also, would doing a Control + Alt + Delete and locking the system generate a logout event ID i.e. 538 ? I'm assuming if it did log it as a 538 that logging back into that machine from a lock would generate an event ID of 528 or 540.