Solved

Domain login history for user

Posted on 2010-09-01
8
2,310 Views
Last Modified: 2012-05-10
for some security reason and investigation
i need some info on how to get:
user A's  login and logoff history for everyday for past one month.

i have some tools (eg jiji ad report) but those just gives last succesfull or failed login.ths it.
any idea on how to get this info.
0
Comment
Question by:KerryJB
8 Comments
 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
It depends on what you have configured to Audit, how big the log files are etc if you hvae configred the domain controller policy to log succesfull log ons and and your log files could cope with 1 months worth of logs then check the security logs on the domain controllers.
0
 
LVL 6

Expert Comment

by:M. Rashel Ahmed
Comment Utility
you can see that in the event log. for more details, you can see it here: http://technet.microsoft.com/en-us/library/bb742435.aspx .


0
 
LVL 10

Expert Comment

by:wmeerza
Comment Utility
on-going it would be better to create a logon/off script that records their activity. Much easier to audit in the long run.
For a login script:
  for /F "tokens=2 delims=:" %%K in ('ipconfig ^| find /I "IP Address"') do set IPADD=%%K
  echo logged on,%USERNAME%,%DATE%,%TIME%,%IPADD% >>"\\server\useraccess.txt"

For a logoff script:
  for /F "tokens=2 delims=:" %%K in ('ipconfig ^| find /I "IP Address"') do set IPADD=%%K
  echo logged off,%USERNAME%,%DATE%,%TIME%,%IPADD% >>"\\server\useraccess.txt"

Add these as .bat files to your default domain policy and then just use Excel to filter.
0
 
LVL 4

Expert Comment

by:Geek_Nabil
Comment Utility
First check that in Audit policies you enabled "Audit account logon events".

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:Geek_Nabil
Comment Utility
0
 

Author Comment

by:KerryJB
Comment Utility
auditing of account logon events is enabled. the problem is the size we set is not much.and we need the data for the month of june. is this possible in any way.?
0
 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
The event logs are stored in %SystemRoot%\System32\Config in files ending .evt if your backups were capturing that location/files you could restore the older files and review them.


0
 
LVL 4

Accepted Solution

by:
Geek_Nabil earned 125 total points
Comment Utility
That is not possible unless as @MojoTech mentioned you have a backup, a log that is deleted is gone.
For future needs i suggest increasing the log file size, by right click on the log -> properties -> log size.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now