Logon Statistics
Hello,
I need to have a view with the number of logged users to Domain Controllers with the peaks and variations. is it an existing view? Performance counter? logins/sec?
Should I do it by using the Netlogon.log file?
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
February 13th, 2013 5:24am
Hello,
ACS is installed and I checked the reports but it does not show what I need. I will see if I could customized a summary report.
I will try the Event ID 4624 as our Domain Controllers are Windows Server 2008 & Windows Server 2008 R2.
Thanks,
Dom
System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2013 10:12am
I believe you have to create your own report. Can't remember any out-of-the-box reports that can count logons.http://OpsMgr.ru/
February 13th, 2013 10:55am
Hi,
the only way I know is:
- Collect audit logon events from every DC
- Write a report that will query for this events and count it
It's definitely work for ACS.http://OpsMgr.ru/
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2013 1:14pm
Hello,
The Event ID 4624 should it be traced by a Rule in Windows Server 2008 Operating System or in Windows Server 2008 Computer?
Thanks,
DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager
February 13th, 2013 5:35pm
Hello Dom,
No, it shouldn't. 4624 is the logon event, you can track the attempts to access a
computer (network logons, RDC connections, local logons etc). You need to track 'account logon' events. When somebody (user\service\computer) is trying to authenticate itself using a some sort of account
database (Active Directory, SAM) Windows is logging 'account logon' events.
Check this event: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
and this
http://technet.microsoft.com/ru-ru/library/dd772679(v=ws.10).aspx
http://OpsMgr.ru/
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2013 10:17pm
Hello Dom,
No, it shouldn't. 4624 is the logon event, you can track the attempts to access a
computer (network logons, RDC connections, local logons etc). You need to track 'account logon' events. When somebody (user\service\computer) is trying to authenticate itself using a some sort of account
database (Active Directory, SAM) Windows is logging 'account logon' events.
Check this event: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
and this
http://technet.microsoft.com/ru-ru/library/dd772679(v=ws.10).aspx
http://OpsMgr.ru/
February 14th, 2013 6:11am