Looking at the Security Log in Event Viewer, I see that user jsmith logged on at 3:39 PM today. Event ID 4624 When I attempt to filter by Event ID 4624, that does work: 23000 events (Yes, I rounded off). But I did not need to select anything else. Then, leaving the previous filter in place, I add the user name "jsmith" (without quotes as you know) and nothing appears as a result. 0 Results Why? I can clearly see that they connected by merely perusing the logs. Selecting all Event Logs and all Event Levels changes nothing. I apparently cannot filter by user. Why not?

Yes, I also tried filtering by user name alone, without filtering by event ID first. When I enter jsmith, Exchange correctly adds the proper domain name in front: mydomain\jsmith But still produces 0 results.

Many others seem to have the same problem, I think something is natively busted with the xml query. When you create the filter, go to the xml tab and use the query below istead of what it autogenerated. <QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID="4624")]] and *[EventData[Data and (Data="jdoe")]]</Select></Query></QueryList>James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com