rwilliams3

They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper. Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently? In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are: 1. Audit account logon events 2. Audt logon events What's the difference? RW

I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving. I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each? For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc... Same for event ID 538. How can I best filter these extra entries out and create a useful report? Thanks, Russell :x