The Logon/Logoff reports display the following information for each logon session.
In order to use the report you need to:
the logon/logoff audit
Windows NT 4: Administrative Tools> User Manager for domain > Policy > Audit
Check Audit these events
Check Success for Logon and Logoff
Windows Windows 2000/XP/2003/Vista/2008/7/2008 R2: Administrative Tools> Local security policy > Local policies > Audit policy > Audit logon events
Warning! The audit needs some times a long time to be effective. In order to accelerate this, you can execute the following command line: secedit /refreshpolicy machine_policy on Windows 2000 or gpupdate on Windows XP/2003/Vista/2008/7/2008 R2
Warning! If defined the domain security policy and the domain controller security policy override the local policy.
the security log of the computers to audit
In the event log section of the scan configuration add a filter for the following events:
528, 540 and 538 in the security log.
Alternatively you can load the event filter file "C:\Program files\ISDecisions\WinReporter4\Templates\LogonEventFilter.xml" with the context menu of the Event logs section.
Then launch the scan.
3- Once the scan is done, select the report in the Event reports section of the report tree.
4- Configure the filter if needed. You can choose the report period with the From and To fields.
6- Click Launch to see the report.
You can define the report time period with the Begin
date and End date fields
You can choose to don't display sessions shorter than a time length specified in the Session> field.
The check box Logoff without logon allow to display logoff events without a corresponding logon event
The check box Logon without logoff allow to display logon events without a corresponding logoff event
- The report may require a long time to execute the query. In order to accelerate the process you can deactivate Logoff without logon and Logon without logoff.
The report is interesting on Windows NT 4 computers or on Windows 2000/XP/Vista/7 workstations (local logon). On Windows 200x domain controllers the system generate to many Logon/Logoff events and it's very difficult to analyze them.
The logon/Logoff report use the events 528,540
(Logon) and 538 (Logoff)
The session information is located in the dynamic parameters:
1 : User name
2 : Domain
3 : Session Identifier
4 : Logon Type (Network = 3, Local = 2, Unlock workstation = 7)
7 : Workstation name