How to tell when a user logged onto the domain?

JRome225
JRome225 used Ask the Experts™
on
How can I easily find what time a user logged into their computer Monday morning from the server? I am using 2008R2
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Paul MacDonaldDirector, Information Systems
Commented:
Turn on auditing of Account Logon events.

Author

Commented:
I do have the auditing on but its over 200K entries under security. I tried filtering it using the domain\username but it wouldn't show anything.
Top Expert 2016
Commented:
you have to check each DC's security audit logs. What I do is run a logon script that simply does
echo %username% logged onto %computername% date >> \\server\share\logons.txt
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

NVITEnd-user support

Commented:
Active Directory Administrative Center

Author

Commented:
NewVillage, where about in the Admin Center would I find the logon report?
NVITEnd-user support

Commented:
When you pick the user, it shows at the bottom right (attached)
greenshot-2014-11-13-08-19-18.png
NVITEnd-user support
Commented:
One way to report all users at once is with PowerShell...

Open a CMD prompt

powershell

import-module ActiveDirectory
Get-ADUser -Filter * -Properties "LastLogonDate" | sort-object -property lastlogondate -descending | Format-Table -property name, lastlogondate -AutoSize

Open in new window

Author

Commented:
I need it from Monday, is that possible?
NVITEnd-user support

Commented:
One out-of-the-box way is to set the GPO "Display information about previous logons during user logon".
But, I think by default this isn't set.

Computer Configuration| Policies | Administrative Templates | Windows Components | Windows Logon Options | Display information about previous logons during user logon = Enabled
End-user support
Commented:
Another way is LogParser http://www.microsoft.com/en-us/download/details.aspx?id=24659

This gets all logons, including machine and users:
LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO Report.tsv FROM Security WHERE EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2"

Open in new window


Here's one to get a certain user:
LogParser "SELECT TimeGenerated AS LogonDate, EXTRACT_TOKEN(Strings, 0, '|') AS Account INTO Report.tsv FROM Security WHERE (EventID NOT IN (541;542;543) AND EventType = 8 AND EventCategory = 2 AND Account LIKE 'username')"

Open in new window

Depending on your security event log settings the logs may have already been removed

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start Today