How to get lost login date and time logs of a user in Domain/active directory for last 6 years?
How to get lost login date and time logs of a user in Domain/active directory for last 6 years?
May 7th, 2012 7:43am
You cannot do that until and unless you save the security events in the Event Viewer
still you can use
lastLogonTimestamp attribute to find out when was the user logged on last time
http://msdn.microsoft.com/en-us/library/windows/desktop/ms676824(v=vs.85).aspx
http://www.arabitpro.com
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2012 8:02am
Have you backed up the logs, If not then unfortunately its not possible. Events older than certain days depending on your policy settings are overwritten to prevent the log from exceeding the maximum file size. The setting Event Log Options is configured
either via GPO or locally on machines. The Log options allow you to control the size of the event logs as well as how logging is handled. Event Log policy settings can be configured in the following location in Group Policy Object Editor:
GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
Ref. links-
http://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/bb726966.aspx
Sachin Gadhave (MCP, MCTS)
May 7th, 2012 8:02am
Hi Borh,
Thanks alot for your quick answers.
In my environment DCs are configured to store 128 MB security logs maximum. then is it possible to find all last log on stamps for a end user for few days?. (Lets say x user daily basis login on to a laptop from last one month, will those logons stored
in to DC?
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2012 8:51am
You can find out last log on details of a end user for few days however, that again depends on number users present in Active directory. In a large enterprise with thousands users in AD, security logs on DCs are overwritten very quickly. If logs are overwritten
then you will have no option to filter out the security events for old log on stamps which are already lost.
If you need to preserve the logs, then you might need to consider a third party application ( e.g. GFI event Manager) which can do that job for you or else you might want to consider Windows Event forwarding and Subscriptions.
Quick and Dirty Large Scale Eventing for Windows
http://blogs.technet.com/b/otto/archive/2008/07/08/quick-and-dirty-enterprise-eventing-for-windows.aspx
Configure Computers to Forward and Collect Events
http://technet.microsoft.com/en-us/library/cc748890.aspx
Setting up a Source Initiated Subscription
http://msdn.microsoft.com/en-us/library/bb870973(VS.85).aspx
Windows Event Collector
http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx
A UNIVERSE without WINDOWS is CHAOS !
This posting is provided "AS IS" with no warranties or guarantees and confers no rights.
About Me ?
May 7th, 2012 10:07am
Hello,
Since the events have not been deleted, you can find the information you want.
For tracking logons, you can use the following script as a logon script using group policies:
echo %username%; %computername%; %date%; %time% >> \\Server\Share\logons.csv
Where:
"Server" is a file server"Share" is a shared folder on this server
So, like that, each time a user logon, an entry will be added to the "logons.csv" file.
For tracking, open it using Excel and you will have the following columns:
User NameComputer NameDate of logonTime of logon
Note also that, if you want to get the last date / time a user logged on, you can use the following AD attributes which you will find in the properties of the user account:
lastlogon: This attribute is not replicated and will contain the last time the user used a specific DC. If you will use it then check it on all DCs you havelastlogontimestamp: This attribute is replicated to DCs you have if your DFL is Windows Server 2003 or higher. This attribute may be deleted by 0-14 days. More here: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft
Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2012 10:14am
Hi Skoppula,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this
post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.
BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.
Best Regards
KevinTechNet Community Support
May 10th, 2012 10:24pm