Ruroshin
asked on
how do i.....?
Using windows server 2008 r2 how do i filter out the event ID's of a server security log to display the users that logged onto the network and what time they logged in?
If that is not possible is there software than can do this for me? I would prefer not to have to buy software. Thanks in advanced :)
If that is not possible is there software than can do this for me? I would prefer not to have to buy software. Thanks in advanced :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
C:\Winnt\SYSvol\sysvol\[do main].com\ scripts above would be c:\Windows\SYSVOL\domain\s cripts
I agree with DeadNight that using a logfile in your login script is the easiest way to track new logins.
If you're trying to track down a login on a certain computer back in time you can use psloglist.exe, a free tool from Microsoft (used to be known as sysinternals.com)
Download and descriptions are here
psloglist.exe is a very versatile tool for extracting events from one or more computers,
here's a list with all the options
A couple of examples:
To create a delimited file of all logins (event id 528 and 540) on computer2 during the last 5 hours:
psloglist \\computer2 security -i 528,540 -h 5 -s -t ; > psloglist.csv
The same for September 18th 2010 (can take some time):
psloglist \\computer2 security -i 528,540 -b 09/19/10 -a 09/18/10 -s -t ; > september18th.csv
Find all event 630 (User account deleted) on server PDC after Jan 28th 2010 and before Jan 30th 2010
psloglist \\pdc security -i 630 -a 01/28/10 -b 01/30/10 -s -t ; > deleted-on-jan-29th.csv
The delimited files can be handled in Excel
If you're trying to track down a login on a certain computer back in time you can use psloglist.exe, a free tool from Microsoft (used to be known as sysinternals.com)
Download and descriptions are here
psloglist.exe is a very versatile tool for extracting events from one or more computers,
here's a list with all the options
A couple of examples:
To create a delimited file of all logins (event id 528 and 540) on computer2 during the last 5 hours:
psloglist \\computer2 security -i 528,540 -h 5 -s -t ; > psloglist.csv
The same for September 18th 2010 (can take some time):
psloglist \\computer2 security -i 528,540 -b 09/19/10 -a 09/18/10 -s -t ; > september18th.csv
Find all event 630 (User account deleted) on server PDC after Jan 28th 2010 and before Jan 30th 2010
psloglist \\pdc security -i 630 -a 01/28/10 -b 01/30/10 -s -t ; > deleted-on-jan-29th.csv
The delimited files can be handled in Excel
ASKER
Thanks :) you helped me out a lot.
1.At the Domain Controller (i.e. the computer you use to add new users to the domain), use Windows Explorer (or My Computer) to locate C:\Winnt\SYSvol\sysvol\[do
2.On the 'File' menu, select New|Text Document.
3.Double-click the 'New Text Document' icon to open this new file in Notepad.
4.Enter the required commands.
5.On the 'File' menu, click 'Save As'. In the 'Save As' dialog box, change 'Save as type' to 'All Files' and save the file with the name login.bat.
6.Close Notepad and Windows Explorer (or My Computer).
Assign the login script
1.At the taskbar, click Start|Settings|Control Panel.
2.In the 'Control Panel' window, double-click 'Administrative Tools'.
3.In the 'Administrative Tools' window, double-click 'Active Directory Users and Computers'.
4.In the 'Active Directory Users and Computers' window, click the Users folder in the Tree pane.
5.In the Name list, right-click the name of a user that needs to have the login script assigned to them. In the menu that is displayed, select 'Properties'.
6.In the '[user] Properties' dialog box (where [user] is the name of the user you right-clicked), click the Profile tab. In the 'Logon script' text box, type 'login.bat'. Click 'OK'.
7.Now repeat this procedure for each user to whom you want to assign the login script.
The next time those users log in, the login script will run on their computers