• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3680
  • Last Modified:

Domain login history for user

for some security reason and investigation
i need some info on how to get:
user A's  login and logoff history for everyday for past one month.

i have some tools (eg jiji ad report) but those just gives last succesfull or failed login.ths it.
any idea on how to get this info.
0
KerryJB
Asked:
KerryJB
1 Solution
 
Mike ThomasConsultantCommented:
It depends on what you have configured to Audit, how big the log files are etc if you hvae configred the domain controller policy to log succesfull log ons and and your log files could cope with 1 months worth of logs then check the security logs on the domain controllers.
0
 
M. Rashel AhmedCommented:
you can see that in the event log. for more details, you can see it here: http://technet.microsoft.com/en-us/library/bb742435.aspx .


0
 
wmeerzaCommented:
on-going it would be better to create a logon/off script that records their activity. Much easier to audit in the long run.
For a login script:
  for /F "tokens=2 delims=:" %%K in ('ipconfig ^| find /I "IP Address"') do set IPADD=%%K
  echo logged on,%USERNAME%,%DATE%,%TIME%,%IPADD% >>"\\server\useraccess.txt"

For a logoff script:
  for /F "tokens=2 delims=:" %%K in ('ipconfig ^| find /I "IP Address"') do set IPADD=%%K
  echo logged off,%USERNAME%,%DATE%,%TIME%,%IPADD% >>"\\server\useraccess.txt"

Add these as .bat files to your default domain policy and then just use Excel to filter.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Geek_NabilCommented:
First check that in Audit policies you enabled "Audit account logon events".

0
 
KerryJBAuthor Commented:
auditing of account logon events is enabled. the problem is the size we set is not much.and we need the data for the month of june. is this possible in any way.?
0
 
Mike ThomasConsultantCommented:
The event logs are stored in %SystemRoot%\System32\Config in files ending .evt if your backups were capturing that location/files you could restore the older files and review them.


0
 
Geek_NabilCommented:
That is not possible unless as @MojoTech mentioned you have a backup, a log that is deleted is gone.
For future needs i suggest increasing the log file size, by right click on the log -> properties -> log size.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now