Hi all,

I have a group of 10 computer on a domain with one server and i need to
find out when one user in my domain was logon and logout and when they
lock there computer. for the last 6 months. the user only users one
computer which made this a little better.

the server is windows 2003 server and the client is using windows xp
SP2

Any help would really time

thanks a lot

dorling

donald wrote:
> I have a group of 10 computer on a domain with one server and i
> need to find out when one user in my domain was logon and logout
> and when they lock there computer. for the last 6 months. the user
> only users one computer which made this a little better.
>
> the server is windows 2003 server and the client is using windows xp
> SP2
>
> Any help would really time

Do you use logon scripts in your domain? (you should)
If so (or if not - do now) - just add to the logon script for the domain
something as simple (assuming batch script logon scripts):

ECHO %USERNAME% logged into %COMPUTERNAME% on %DATE% at %TIME% >>
\\SERVER\SHARE\logon.log

(Or something similar.)

As for locking the screen and keeping track of that - wow - why?! Anyway -
I have a few random ideas of how to do that - but I will let anyone else who
might have had reason to do that chime in.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Hi,

thanks for your quick reply.

i will put that in to the logon scripts which will help. But is there
any way of finding out of for the last 6 months??

and please do post your ideas for locking the screen???

> I have a group of 10 computer on a domain with one server
> and i need to find out when one user in my domain was logon
> and logout and when they lock there computer. for the last 6
> months. the user only users one computer which made this
> a little better.

The only way I know to check activation of a locked screen is to turn on
auditing. I was faced with this once. In the Event log I could see not only
initial logon/logoff info, but also each time the user "logged on" to break
the screen saver. They had different Event numbers. Although the info logged
was virtually identical.

If auditing has not been turned on I don't believe you will be able to do
any of this.

To answer Shenan's question about why... the reason I had to do it was to
help security collect all the facts before accusing someone in my org of
unauthorized use of government resources. Specifically, I had to provide my
firewall logs showing certain unauthorized web sites visited, by a specific
machine, at a specific time, but I had to go to the individual machine's
audit logs to prove that one specific individual was logged on when these
indiscretions occurred. This config was U.S. Govt mandated. Without
incorporating the ability to track this they would not have let me install
Internet access at all.

In case you are curious, the offender was properly counseled by security and
his supervisor. Turns out he was collecting overtime pay for the whole
weekend while spending well over 8 hours aggressively surfing prohibited (by
written security policy) sites.

-Frank

"donald" <jonathan@dorling.biz> wrote in message...
>i will put that in to the logon scripts which will help. But is there any
>way of finding out of for the last 6 months?? and please do post your
> >ideas for locking the screen???

Scan your domain controller event logs (if only one server) for account
logon events. Search for a tool called "log Parser" which may help you with
filtering and searching. Log Parser is free tool. The data will be in there
if the logs go back that far (possible if only a small environment). As for
capturing locking the screen, I really can't think of how you can pull that
data. It certainly isn't logged by default, even on the workstation itself.

528 successfull logon
551 user initiated logoff
538 user logoff

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message
news:%23LW$8G58FHA.1248@TK2MSFTNGP14.phx.gbl...
> "donald" <jonathan@dorling.biz> wrote in message...
>>i will put that in to the logon scripts which will help. But is there any
>>way of finding out of for the last 6 months?? and please do post your
>> >ideas for locking the screen???
>
> Scan your domain controller event logs (if only one server) for account
> logon events. Search for a tool called "log Parser" which may help you
> with
> filtering and searching. Log Parser is free tool. The data will be in
> there
> if the logs go back that far (possible if only a small environment). As
> for
> capturing locking the screen, I really can't think of how you can pull
> that
> data. It certainly isn't logged by default, even on the workstation
> itself.
>
> 528 successfull logon
> 551 user initiated logoff
> 538 user logoff
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA

If you look at the details of events 528 and 538 carefully you will see that
the "Logon Type" is 7 for a screen saver break and 2 for a normal logon.

-Frank

i can only do this if f auditing has not been turned on right how do i
check this??

thansk for your info??

Dorling

>i can only do this if f auditing has not been turned on right
>how do i check this??
>
> thansk for your info??
>
> Dorling

Actually (what I think you meant, anyway) you can only do this is auditing
*has* been turned on on the local workstation. To check, just go to Start |
Programs | Administrator Tools | Local Security Policies. Click on Audit
Policies in the left pain, then right-click on Audit account logon events
and Audit logon events and select auditing for both failure and success.
Apply.

You can then Ctrl-Alt-Del to lock the screen, supply your password to break
the lock and you will see your logged results in the event viewer under
security. (You might have to refresh the view to see this right away if you
do this fairly quickly)

-Frank