Audit 2 users

Hi Experts,

I need to audit the time that 2 users have been starting work and finishing.

is there any way of checking what time users are logged in and out of windows? is this recorded anywhere.

failing that we use outlook 2003, would that record anything with regards to logging in and out?

wanted to find out the last 8 months if possible

all suggestions welcome
LVL 2
peggiegregAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
8 months might be a lot (if you didn't change settings in the eventvwr retention, depending on which Windows version).
The easiest for now, is IF they always start up the PC in the morning and shut it down in the evening, is to check the local system log file of the PC's in question. All startup and shutdown events are logged.
If the PC's are on always, and you need to login and log off times, it's a bit more difficult. You need to browse your server security logs for those records. And because the server servers more users, those log files can be quite bulky. Let's hope the first option is already what you need.
peggiegregAuthor Commented:
audit-success.PNG
Hi Kimputer,

we are using windows 7 machines 64bit.

I don't know where to find the local system log file, but saying that  I don't think they do shutdown every day.

i have looked through the event logs and it displays lots of Audit Success Event ID 4624. i cant determine which are an actually log in or not. - see attachmentaudit-success.PNGHi Kimputer,

we are using windows 7 machines 64bit.

I don't know where to find the local system log file, but saying that  I don't think they do shutdown every day.

i have looked through the event logs and it displays lots of Audit Success Event ID 4624. i cant determine which are an actually log in or not. - see attachment
peggiegregAuthor Commented:
i was wondering if a report could be ran from our SBS 2011 standard console?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

KimputerCommented:
EventID 4647 is logoff, you still have to read the message to see the username (even though the eventvwr has a User column available).
EventID 4648 is for the logon, but this requires more attention, as you have to analyze the message further. The real logons are stated when "Account Whose Credentals Were Used" are correct AND the "Target Server Name" is localhost, with winlogon.exe as the process name and the network address as 12.0.0.1
Sadly there are a lot of 4648 messages to go through (anonymous logins, remote logins, update users etc etc), and there's no way to filter this (as I said, the User column is useless).

Btw, still talking about local logs. Could be slightly different per Windows version (server or otherwise).
peggiegregAuthor Commented:
i understand, im asking for something to be simple which isn't!

i noticed that under the system tab in event viewer you can search the event ID 7001 (winlogon)

is this not when users log on ?
KimputerCommented:
Sorry if there's no easier way, I'm just reporting what Windows does! I didn't write Windows! While you might want something simple, if there's nothing else available right now, that's what I offer.

For eventid 7001, it belongs to the SYSTEM event and seems more in line with the startup of the PC than really a user logging in and out.

On the server side, logon and logoff events are also logged, but there are several (up to hundreds) per user throughout the day. There's no definite start or stop eventid, they're all just mashed together. You have to kind off guess by the activity (assume earliest of the day is logon and last of the day is logoff). Again, not easy to make a list or filter it. As I warned you before, the log is bulky and most likely won't have more than a few days (let alone a few months as you wished).

If you truly want something simple, you might need to look for expensive Enterprise solutions, but again, it won't help you much, as you want data from the past.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.