On Server 2008 R2, is there a convenient way to emulate the Unix 'last' utility (or at least show who's been logging on)? The Security event log seems to contain events for this, but they're buried within a ton of others; every 10 seconds I'm seeing an Audit Success for something irrelevant. I tried to filter by Task Category (login and logoff), but this option is always greyed out and doesn't let me enter anything, no matter what else I tweak. All I'd really like is the list of users and when they logged on. Thanks for any suggestions.:-( + :-) = :-) :-)

I am not familiar with Unix but you can enable auditing and it will showing your success and failure logon/logoff data. You can forward/collect event log using the following method: http://technet.microsoft.com/en-us/library/cc748890.aspx http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx or you can use Event Comb tool http://support.microsoft.com/kb/308471 http://support.microsoft.com/kb/824209 Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX Blogs - http://blogs.sivarajan.com/ This posting is provided AS IS with no warranties,and confers no rights.

Thank you. I have not made any changes to default auditing, but the logon/logoff events are showing up in the Security event log. Exporting the event log as a text file and grepping for the information I need is so far the quickest method. As for more auditing, is this done via secpol.msc? There are a couple of promising settings, but it's not clear what they accomplish or what the difference between them is: Local Policies/Audit Policy (Audit account logon events) Advanced Audit Policy Configuration/System Audit Policies - Local Group Policy Object (Logon/Logoff) :-( + :-) = :-) :-)