The Logon/Logoff reports display the following information for each logon session.
Logon time |
Logoff time |
User name |
Domain |
Logon type |
Server |
Workstation |
In order to use the report you need to:
1- Activate
the logon/logoff audit
Windows NT 4: Administrative Tools>
User Manager for domain >
Policy > Audit
Check Audit these events
Check Success for Logon and Logoff
Windows Windows 2000/XP/2003/Vista/2008/7/2008 R2: Administrative
Tools> Local security policy
> Local policies >
Audit policy > Audit
logon events
Check Success
Warning! The audit needs
some times a long time to be effective. In order to accelerate this, you
can execute the following command line: secedit
/refreshpolicy machine_policy on Windows 2000 or gpupdate
on Windows XP/2003/Vista/2008/7/2008 R2
Warning! If defined
the domain security policy and the domain controller security policy override
the local policy.
2- Scan
the security log of the computers to audit
In the event log
section of the scan configuration add a filter for the following events:
528, 540 and 538 in the security log.
Alternatively you can load the event filter file "C:\Program
files\ISDecisions\WinReporter4\Templates\LogonEventFilter.xml"
with the context menu of the Event logs
section.
Then launch the scan.
3- Once the scan is done, select the report in the Event reports section of the report tree.
4- Configure the filter if needed. You can choose the report period with the From and To fields.
6- Click Launch to see the report.
You can define the report time period with the Begin
date and End date fields
You can choose to don't display sessions shorter than a time length specified
in the Session> field.
The check box Logoff without logon
allow to display logoff events without a corresponding logon event
The check box Logon without logoff
allow to display logon events without a corresponding logoff event
Warning!
- The report may require a long time to execute the query. In order to
accelerate the process you can deactivate Logoff
without logon and Logon without logoff.
Advice
The report is interesting on Windows NT 4 computers or on Windows 2000/XP/Vista/7
workstations (local logon). On Windows 200x domain controllers the system
generate to many Logon/Logoff events and it's very difficult to analyze
them.
Additional information:
The logon/Logoff report use the events 528,540
(Logon) and 538 (Logoff)
The session information is located in the dynamic parameters:
1 : User name
2 : Domain
3 : Session Identifier
4 : Logon Type (Network = 3, Local = 2, Unlock workstation = 7)
7 : Workstation name