windows 2003 :  how to find the users those logged in past in the server

Posted on 2012-09-12
Last Modified: 2012-11-12
Dear team,

please advice some tip to ser the logs/commands to find who logged into the server during past few days( let's say - week).

please advice fastest and simple way of finding using commands/log files rather using evetviewer.

thanks for your support  -
Question by:mac_g
    LVL 39

    Assisted Solution

    by:Krzysztof Pytko
    Unfortunately, there is no simple method for that. You may logon to server and view its Security Event Log to search for users logged on there.

    You need to filter dates you want to check and specify Event ID for that activity. This event ID should be used: 528 and 540

    You may also try to use VBScript code from that forum to get that

    LVL 11

    Expert Comment

    Hi, you can enable auditing on the server and then it would show who has been logged.  This can be viewed in the event logs.
    LVL 18

    Assisted Solution

    by:Sushil Sonawane
    Try "ADAudit Plus" to get data in details.

    Download link (
    LVL 11

    Expert Comment

    Once you have the event ids that you are looking for- you can use EventCombMT program.  It polls from any server to your computer so you don't need to go to each server's event logs.
    LVL 77

    Assisted Solution

    by:Rob Williams
    Unfortunately if you did not  enabled auditing prior to the event there is very little information available.  If you wish to be able to determine logons in future please see the following from an earlier post of mine:

    You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:

    However using auditing can be time consuming to filter and extract.

    Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script.

    As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
    Log File

    Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
      TCP        ESTABLISHED

    Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

    Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
      TCP        ESTABLISHED

    Log Off: jsmith SERVER1  Tue 1/1/2007   11:30

    If Exist "\\Server\Logs\LogOns.Log" GoTo START
    Echo Log File > "\\Server\Logs\LogOns.Log"
    Echo. >> "\\Server\Logs\LogOns.Log"
    Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
    netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

    Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
    LVL 4

    Accepted Solution

    UserLock Session History ReportUserLock will come handy here as this 3rd-party software solution (among other security-oriented  features) records all session logging and locking events in an ODBC database (SQL Server) for reporting.

    Reports (including a comprehensive session history: logon, lock, unlock, logoff instances, users, domains, workstations…), can automatically be generated at regular intervals.

    Detailed info and trial:

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Know what services you can and cannot, should and should not combine on your server.
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now