• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 661
  • Last Modified:

windows 2003 : how to find the users those logged in past in the server

Dear team,

please advice some tip to ser the logs/commands to find who logged into the server during past few days( let's say - week).

please advice fastest and simple way of finding using commands/log files rather using evetviewer.

thanks for your support  -
0
mac_g
Asked:
mac_g
4 Solutions
 
Krzysztof PytkoActive Directory EngineerCommented:
Unfortunately, there is no simple method for that. You may logon to server and view its Security Event Log to search for users logged on there.

You need to filter dates you want to check and specify Event ID for that activity. This event ID should be used: 528 and 540

You may also try to use VBScript code from that forum to get that
http://www.petri.co.il/forums/showthread.php?t=18424

Regards,
Krzysztof
0
 
g000seCommented:
Hi, you can enable auditing on the server and then it would show who has been logged.  This can be viewed in the event logs.
0
 
Sushil SonawaneCommented:
Try "ADAudit Plus" to get data in details.

Download link (http://www.manageengine.com/products/active-directory-audit/member-server-audit.html)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
g000seCommented:
Once you have the event ids that you are looking for- you can use EventCombMT program.  It polls from any server to your computer so you don't need to go to each server's event logs.

http://support.microsoft.com/kb/814595

http://www.microsoft.com/en-us/download/details.aspx?id=18465
0
 
Rob WilliamsCommented:
Unfortunately if you did not  enabled auditing prior to the event there is very little information available.  If you wish to be able to determine logons in future please see the following from an earlier post of mine:


You can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx

However using auditing can be time consuming to filter and extract.

Another option is to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy (if you don't already have one: User Configuration | Windows settings | Scripts | Logoff). You likely won’t need the last line (IP address) in the log off script.

As written below it will create the log/text file in \\Server\Logs\LogOns.Log and the entries will look like:
Log File

Log On:  jdoe SERVER1  Tue 1/1/2007   9:01
  TCP    10.0.1.100:3389        66.66.123.123:1234        ESTABLISHED

Log Off: jdoe SERVER1  Tue 1/1/2007   9:31

Log On:  jsmith SERVER2  Tue 1/1/2007   11:00
  TCP    10.0.1.200:3389        66.66.123.124:1234        ESTABLISHED

Log Off: jsmith SERVER1  Tue 1/1/2007   11:30
---------------------------------------------------------------------------

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\Logs\LogOns.Log"

---------------------------------------------------------------------------
Note the users will need to have read/write and execute permissions for the \\Server\Logs\LogOns.Log  file.
0
 
JustMy2CentsCommented:
UserLock Session History ReportUserLock will come handy here as this 3rd-party software solution (among other security-oriented  features) records all session logging and locking events in an ODBC database (SQL Server) for reporting.

Reports (including a comprehensive session history: logon, lock, unlock, logoff instances, users, domains, workstations…), can automatically be generated at regular intervals.

Detailed info and trial:
http://www.isdecisions.com/products/userlock/
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now