PeggieGreg
asked on
Audit 2 users
Hi Experts,
I need to audit the time that 2 users have been starting work and finishing.
is there any way of checking what time users are logged in and out of windows? is this recorded anywhere.
failing that we use outlook 2003, would that record anything with regards to logging in and out?
wanted to find out the last 8 months if possible
all suggestions welcome
I need to audit the time that 2 users have been starting work and finishing.
is there any way of checking what time users are logged in and out of windows? is this recorded anywhere.
failing that we use outlook 2003, would that record anything with regards to logging in and out?
wanted to find out the last 8 months if possible
all suggestions welcome
ASKER
Hi Kimputer,
we are using windows 7 machines 64bit.
I don't know where to find the local system log file, but saying that I don't think they do shutdown every day.
i have looked through the event logs and it displays lots of Audit Success Event ID 4624. i cant determine which are an actually log in or not. - see attachment
Hi Kimputer,we are using windows 7 machines 64bit.
I don't know where to find the local system log file, but saying that I don't think they do shutdown every day.
i have looked through the event logs and it displays lots of Audit Success Event ID 4624. i cant determine which are an actually log in or not. - see attachment
ASKER
i was wondering if a report could be ran from our SBS 2011 standard console?
EventID 4647 is logoff, you still have to read the message to see the username (even though the eventvwr has a User column available).
EventID 4648 is for the logon, but this requires more attention, as you have to analyze the message further. The real logons are stated when "Account Whose Credentals Were Used" are correct AND the "Target Server Name" is localhost, with winlogon.exe as the process name and the network address as 12.0.0.1
Sadly there are a lot of 4648 messages to go through (anonymous logins, remote logins, update users etc etc), and there's no way to filter this (as I said, the User column is useless).
Btw, still talking about local logs. Could be slightly different per Windows version (server or otherwise).
EventID 4648 is for the logon, but this requires more attention, as you have to analyze the message further. The real logons are stated when "Account Whose Credentals Were Used" are correct AND the "Target Server Name" is localhost, with winlogon.exe as the process name and the network address as 12.0.0.1
Sadly there are a lot of 4648 messages to go through (anonymous logins, remote logins, update users etc etc), and there's no way to filter this (as I said, the User column is useless).
Btw, still talking about local logs. Could be slightly different per Windows version (server or otherwise).
ASKER
i understand, im asking for something to be simple which isn't!
i noticed that under the system tab in event viewer you can search the event ID 7001 (winlogon)
is this not when users log on ?
i noticed that under the system tab in event viewer you can search the event ID 7001 (winlogon)
is this not when users log on ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The easiest for now, is IF they always start up the PC in the morning and shut it down in the evening, is to check the local system log file of the PC's in question. All startup and shutdown events are logged.
If the PC's are on always, and you need to login and log off times, it's a bit more difficult. You need to browse your server security logs for those records. And because the server servers more users, those log files can be quite bulky. Let's hope the first option is already what you need.