how do i.....?

Ruroshin used Ask the Experts™
Using windows server 2008 r2 how do i filter out the event ID's of a server security log to display the users that logged onto the network and what time they logged in?

If that is not possible is there software than can do this for me? I would prefer not to have to buy software. Thanks in advanced :)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Systems Engineer
Because this is so problematic.. each access (login or just file access) is logged into the security logs, I always use login scripts that make this very easy to see.. the login script makes files with the user name and computer name the last time changed is when they last logged in, and the file itself keeps a log of that user and computer.. you just put this line into their login scirpt and make a share on the server.  To add security make it a $ hidden share...

Echo %DATE% - %TIME% %USERNAME% logged into %COMPUTERNAME% >>\\server\userlog$\%username%.%computername%.txt

Do you know anything about login scripts?  Using this method you can even use a logoff script to see when the logged out of the computer..
Steve AgnewSr. Systems Engineer

Create the login script
1.At the Domain Controller (i.e. the computer you use to add new users to the domain), use Windows Explorer (or My Computer) to locate C:\Winnt\SYSvol\sysvol\[domain].com\scripts where [domain] is the name of the domain that the workstations log in to.
2.On the 'File' menu, select New|Text Document.
3.Double-click the 'New Text Document' icon to open this new file in Notepad.
4.Enter the required commands.
5.On the 'File' menu, click 'Save As'. In the 'Save As' dialog box, change 'Save as type' to 'All Files' and save the file with the name login.bat.
6.Close Notepad and Windows Explorer (or My Computer).
Assign the login script
1.At the taskbar, click Start|Settings|Control Panel.
2.In the 'Control Panel' window, double-click 'Administrative Tools'.
3.In the 'Administrative Tools' window, double-click 'Active Directory Users and Computers'.
4.In the 'Active Directory Users and Computers' window, click the Users folder in the Tree pane.
5.In the Name list, right-click the name of a user that needs to have the login script assigned to them. In the menu that is displayed, select 'Properties'.
6.In the '[user] Properties' dialog box (where [user] is the name of the user you right-clicked), click the Profile tab. In the 'Logon script' text box, type 'login.bat'. Click 'OK'.
7.Now repeat this procedure for each user to whom you want to assign the login script.
The next time those users log in, the login script will run on their computers
Steve AgnewSr. Systems Engineer

C:\Winnt\SYSvol\sysvol\[domain].com\scripts above would be c:\Windows\SYSVOL\domain\scripts

I agree with DeadNight that using a logfile in your login script is the easiest way to track new logins.

If you're trying to track down a login on a certain computer back in time you can use psloglist.exe, a free tool from Microsoft (used to be known as

Download and descriptions are here

psloglist.exe is a very versatile tool for extracting events from one or more computers,
here's a list with all the options

A couple of examples:

To create a delimited file of all logins (event id 528 and 540) on computer2 during the last 5 hours:
psloglist \\computer2 security -i 528,540 -h 5 -s -t ; > psloglist.csv

The same for September 18th 2010 (can take some time):
psloglist \\computer2 security -i 528,540 -b 09/19/10 -a 09/18/10 -s -t ; > september18th.csv

Find all event 630 (User account deleted) on server PDC after Jan 28th 2010 and before Jan 30th 2010
psloglist \\pdc security -i 630 -a 01/28/10 -b 01/30/10 -s -t ; > deleted-on-jan-29th.csv

The delimited files can be handled in Excel


Thanks :)  you helped me out a lot.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial