How to monitor users login and logout activity?
Item #1 only works if the user logs off. is there a way to know after they unlock there desktop also?
September 1st, 2011 1:51pm
I have been asked by my CEO if I can monitor when a user log's on or off of the machine. But the user in question does not log off only locks the workstation.
Has anyone else been asked to do this? What did you do?
We have a Server 2003 AD domain. we have XP and Windows7 workstations.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 7:20pm
Take a look at the following web addresses
http://support.microsoft.com/kb/556015/en-us
http://technet.microsoft.com/en-us/library/dd941595(WS.10).aspx
Bye.Luigi Bruno - Microsoft Community Contributor 2011 Award
September 1st, 2011 7:38pm
Item #1 only works if the user logs off. is there a way to know after they unlock there desktop also?
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 8:51pm
Hello,
you have to use some scripts to log this kind of information, Richard Mueller has some great ones for free:
If they do NOT logoff this of course cannot be logged.
http://www.rlmueller.net/freecode2.htmBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
September 2nd, 2011 2:46am
Hello,
you have to use some scripts to log this kind of information, Richard Mueller has some great ones for free:
If they do NOT logoff this of course cannot be logged.
http://www.rlmueller.net/freecode2.htmBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2011 9:46am
Hi SteveBarnhart,
Windows 7 has the following events for computer lock and unlock:
4800 The workstation was locked.
4801 The workstation was unlocked.
You need to enable the policy [Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy: Audit Logon
Events]. If you already enabled it and user has locked or un-clocked the computer, you can find these events. For more information, please refer to this article:
Audit Other Logon/Logoff Events
http://technet.microsoft.com/en-us/library/dd772658(WS.10).aspx
In Windows XP, there is no Audit Event generated during either Lock or Unlock a Workstation. The Only event that we get During
an Unlock would be the Event ID 538 with Logon Type: 7
-------------------------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
User: DomainName\ADMINISTRATOR
Computer: CLIENT1
Description:
User Logoff:
User Name: ADMINISTRATOR
Domain: DomainName
Logon ID: (0x0,0x9654AB)
Logon Type: 7 ---------------------------------> Logon Type 7 (This logon type is intended for GINA DLLs logging on users who
will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked. )
-------------------------------------------------------------------------------------
Hope this helps.
Regards,
Bruce
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for
TechNet Subscriber Support, contact tnmff@microsoft.com.
September 2nd, 2011 11:38am
You can enable logon logoff Audit policy in GPO and you gone know when user logout, login
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 12:45pm
Hi SteveBarnhart,
Have you tried the suggestions? If there is any update, please feel free to let us know.
Have a nice day!
September 5th, 2011 7:39pm
You can enable logon logoff Audit policy in GPO and you gone know when user logout, login
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 7:45pm
I don't see a problem here. Your CEO has asked you to monitor when users logon or logoff. Locking the workstation is not the same as logging off, so if your report shows one person logged on a month ago and didn't log out since, then, he is either still
logged on (and the workstation either locked or unlocked), or it was disconnected from the network before being powered off.
Perhaps you need to look into *why* you are being asked to do this. If it is to make sure people are working, that cannot be determined from logon/logoff statistics, whether or not you can detect locking and unlocking events.
One other thing: if the information collected is going to be used in any prejudicial manner (i.e. for disciplinary purposes), you would be well advised to ensure that the practice of collecting that information is in full compliance with relevant company
policy and law.
Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.
October 23rd, 2012 10:59am