rwilliams3 0 Posted January 28, 2003 I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving. I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each? For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc... Same for event ID 538. How can I best filter these extra entries out and create a useful report? Thanks, Russell :x Share this post Link to post
DosFreak 2 Posted January 28, 2003 Extra entries? These are the times that the user logged on/logged off. I'm assuming that the user locked/unlocked their workstation and logged back on again. The times sound about right. For proper auditing you NEED these times logged. Share this post Link to post
Mr.Guvernment 0 Posted January 28, 2003 could very well be he has logged in and out, multiple times, or do u simply want to know when he was in the first time, and logged out the last time? you can sort it by time / date i beleive. Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be. Share this post Link to post
rwilliams3 0 Posted January 28, 2003 They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper. Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently? In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are: 1. Audit account logon events 2. Audt logon events What's the difference? RW Share this post Link to post
DS3Circuit 0 Posted January 28, 2003 1. Audit account logon events is when a domain controller receives a request to validate a user account. See article http://support.microsoft.com/support/kb/articles/q174/0/73.asp 2. Audit logon events is when a user logs on or off, or makes or cancels a network connection. Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits. Share this post Link to post
