Users Log on history in a domain

Hi Experts,

I want to know if there is a simple way to identify any user's login activities for past one week or so? I tried my best to search something like this but could not find any.

Our domain is on Windows 2003.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes but Only if you have Audit logging enabled, if you have then search for event ID's with respect to your requirement in below link
Mike KlineCommented:
Does the user generally logon from one PC or multiple?


SandeshdubeySenior Server EngineerCommented:
If auditing is enabled you can track the same.I think one simple way to accomplish this is to implement a logon script like below, that will capture the value of %logonserver% variable of every client and record it to a central location(like a file share, note that you must give write permission to Domain Users) :
echo logon,%username%,%logonserver%,%date%,%time% >>sharedfilepath\logon.csv
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

I never used AD 2003 auditing for logon history purposes, but we tried for object modification auditing and had issues where the changes were only logged on the DC in which they were changed initially.  That meant that you had to know what DC the user was connected to when the changes were made.

If the logon auditing works the same way (as I would expect it to) you would still need to harvest information across multiple DCs, unless your Global DC auditing is turned on (should catch all of the events).

If you don't currently have auditing turned on, you'll need to grab all the security logs from all your domain controllers and use something like Log Parser to go through all the security events.  There are third party applications that automate the process of grabbing those logs and putting them in a central location so you can extend the time period you can capture.  Depending on the number of authentication requests in your individual sites, your security logs may or may not contain the length of time you're looking for.

This link goes into some log parser queries.  The first he covers is to get login and logout times of a specific user.

Check through it and see if it will meet your needs.  Remember to export all your security logs so you don't lose any more data than you already possibly have.
bubaibhattaAuthor Commented:
so first thing that I need to enable auditing, right?
You can use auditing from this point forward, yes.  If you need to capture data in the past though, auditing won't do any good if it's not already on and you'll need to reference the security logs.
bubaibhattaAuthor Commented:
Since auditing was not enable at this point of time, I have enabled that.
What should  be the next steps?
You're not being too clear here, what are you trying to do?

If you need to find out who logged in when in the past week, then you enabling auditing will do nothing for achieving that task.  You need to parse through the security logs to find the information (assuming your logs go back that far)

If you don't need past data and you just want the "from here on out" data, now you sit and wait, then review the audit information.
its pretty simple with this tool you should try it at once as it audit complete AD you can as many of domain it it and get the desired reports
bubaibhattaAuthor Commented:
Piattnd, sorry for my unclearity. I dont want to get into past data. I want  "from here on out" data.

Our Domain has five sites and each have one ADC in place. What I understood that when a user logs in to domain from a site, that info will be available to system log file of that site ADC. Am I correct here?

One more thing : now how to I turn on global DC Auditing ?
See the "Configure an Audit Policy Setting for a Domain Controller" section of  this article.  Enabling auditing on the Default Domain Controller Policy should apply automatically to all domain controllers (assuming you haven't moved your DCs to an OU where they aren't applied).

This is also a link that describes the auditing settings needed for authentication attempts:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.