Item #1 only works if the user logs off. is there a way to know after they unlock there desktop also?

I have been asked by my CEO if I can monitor when a user log's on or off of the machine. But the user in question does not log off only locks the workstation. Has anyone else been asked to do this? What did you do? We have a Server 2003 AD domain. we have XP and Windows7 workstations.

Take a look at the following web addresses http://support.microsoft.com/kb/556015/en-us http://technet.microsoft.com/en-us/library/dd941595(WS.10).aspx Bye.Luigi Bruno - Microsoft Community Contributor 2011 Award

Item #1 only works if the user logs off. is there a way to know after they unlock there desktop also?

Hello, you have to use some scripts to log this kind of information, Richard Mueller has some great ones for free: If they do NOT logoff this of course cannot be logged. http://www.rlmueller.net/freecode2.htmBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, you have to use some scripts to log this kind of information, Richard Mueller has some great ones for free: If they do NOT logoff this of course cannot be logged. http://www.rlmueller.net/freecode2.htmBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi SteveBarnhart, Windows 7 has the following events for computer lock and unlock: 4800 The workstation was locked. 4801 The workstation was unlocked. You need to enable the policy [Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy: Audit Logon Events]. If you already enabled it and user has locked or un-clocked the computer, you can find these events. For more information, please refer to this article: Audit Other Logon/Logoff Events http://technet.microsoft.com/en-us/library/dd772658(WS.10).aspx In Windows XP, there is no Audit Event generated during either Lock or Unlock a Workstation. The Only event that we get During an Unlock would be the Event ID 538 with Logon Type: 7 ------------------------------------------------------------------------------------- Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 User: DomainName\ADMINISTRATOR Computer: CLIENT1 Description: User Logoff: User Name: ADMINISTRATOR Domain: DomainName Logon ID: (0x0,0x9654AB) Logon Type: 7 ---------------------------------> Logon Type 7 (This logon type is intended for GINA DLLs logging on users who will be interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked. ) ------------------------------------------------------------------------------------- Hope this helps. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

You can enable logon logoff Audit policy in GPO and you gone know when user logout, login

Hi SteveBarnhart, Have you tried the suggestions? If there is any update, please feel free to let us know. Have a nice day!

You can enable logon logoff Audit policy in GPO and you gone know when user logout, login

I don't see a problem here. Your CEO has asked you to monitor when users logon or logoff. Locking the workstation is not the same as logging off, so if your report shows one person logged on a month ago and didn't log out since, then, he is either still logged on (and the workstation either locked or unlocked), or it was disconnected from the network before being powered off. Perhaps you need to look into *why* you are being asked to do this. If it is to make sure people are working, that cannot be determined from logon/logoff statistics, whether or not you can detect locking and unlocking events. One other thing: if the information collected is going to be used in any prejudicial manner (i.e. for disciplinary purposes), you would be well advised to ensure that the practice of collecting that information is in full compliance with relevant company policy and law. Al Dunbar -- remember to 'mark or propose as answer' or 'vote as helpful' as appropriate.