I am running Small Business Server 2008. It appears that a former employee may have broken into a user account and accessed e-mails. How can I find login dates and times for a user account to see if there has been any unusual login activity?

If auditing of logon events is enabled you can check the security event logs. If auditing is not enabled you are out of luck. Save the event log now because it will be over written over time.

I do have auditing of logon events enabled. I have looked at the event logs and the sheer volume of events that are logged make it an enormous task to find just the login information pertaining to a particular user.Is there a utility or program that I can download which will allow me to search for the information that I need?

Hi Bbeckers,I just want to add more on Gunner999's information. LSASS is the component which is user mode process which performs the action of writing event logs / security logs into event viewer which uses lsasrv.dll to perform the operation along with many other functions. So the only way to track audit is by viewing event viewer security event logs. AFAIK apart from event log windows does write information into registry but not the older events , it just writes information about the last logged in user time.

Specifically, I need to check if a specific user logged in or attempted to login during the hours of 5:00PM on 12/29/09 to 9:00AM on 12/30/09. As I mentioned in my original post, we are running Small Business Server 2008. I knew how to get this info on SBS 2003, but I cannot seem to locate this info in 2008.There are literally thousands of entries in the Security Event Log for this time frame, and going one-by-one through the log is an ENORMOUS task that I simply do not have the time to click each entry. There MUST be some kind of tool, utility, or something that can pull this data for me!I really need help with this ASAP.

See here for a VBScript which you can download to do this: VBScript Last Logon Times And see here for a PowerShell script which does the same: Get Last Logon of Users You can also use a commercial solution, instead of these scripts, an example fot that is: Quest Active Directory Change Auditing I hope this is helpful for you. Certifications: MCSA 2003|MCSE 2003|MCTS|

You can use WMI to query the event logs. In this case, you can adapt the following script that queries for logon and logoff events in the security log between specified dates: Option Explicit Dim strComputer, objWMIService, colEvents, objEvent Dim dtmStart, dtmEnd, strUser strComputer = "West204" dtmStart = "20091228000000.000000-360" dtmEnd = "20100101000000.000000-360" strUser = "MyDomain\jsmith" strUser = "jsmith" Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,authenticationLevel=Pkt,(Security)}!\\" _ & strComputer & "\root\cimv2") Set colEvents = objWMIService.ExecQuery _ ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND " _ & "TimeWritten >= '" & dtmStart & "' AND TimeWritten < '" _ & dtmEnd & "' AND " _ & "(EventCode = '528' OR EventCode = '540' OR EventCode = '538')") For Each objEvent In colEvents Wscript.Echo "---------------------------" Wscript.Echo "Computer: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Time: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.EventType Wscript.Echo "User: " & objEvent.User Next These queries are always slow. I tried to add a WHERE clause for the user, but could not get it to work, so the output will include all logon/logoff events between the dates. I also expected more WHERE clauses to make the query faster, but it doesn't seem to work that way. Run the script at a command prompt and redirect the output to a text file. The date format is yyyymmddhhmmss.ssssss-zzz, were -zzz is your local time zone bias in minutes (from UTC).Richard MuellerMVP ADSI

Thank you!The PowerShell script worked perfectly!