Hello, I will trace users logon and logoff in my active directory 2003 domain env. What kind of events should I track to have that informations ? (I enabled audit policy on DC) I did small investigate with Google and I would be able to find solution :(. I found that you can use logon and logoff scripts but this doesn't satisfy me :(. Is possible to track this event with security log ? I enabled in GPO: Policy Computer Setting Source GPO Audit account logon events Success, Failure Default Domain Controllers Policy Audit account management Success Default Domain Controllers Policy Audit directory service access Success Default Domain Controllers Policy Audit logon events Success, Failure Default Domain Controllers Policy Audit object access Success, Failure Default Domain Controllers Policy Audit policy change Success Default Domain Controllers Policy Audit privilege use Success, Failure Default Domain Controllers Policy Audit process tracking No auditing Default Domain Controllers Policy Audit system events Success Default Domain Controllers Policy Best regards, Xentri Xentri

Refer to this article about Windows and Active Directory Auditing. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

some additional notes: a) the Account Logon events appear only on DCs, you will need to check this on all DCs b) there is no real 100% accurrate method how to find out whether the users have logged off c) the Logon events can be considered rather "session access events" than the "logon/logoff", as the Logon events appear every time the user SESSION is established with the target service and the logoff events again appear when the session is terminated. This means, several times during the day or even a lot of times during any hour :-) ondrej.

Hello, Thanks for answers. Ondrej: ad a ) I know it and I will check on all DC ad c) I know it and this is problem with 538 event ad b) What does mean "no real 100%". I trace some logoff and I saw events: last events 540,565,565,538 with the same Logon ID indicate logoff. ( double occur 565 is point ) Does anyone can confirm this ? Or know any other way how to find out logoff ? Best regards, XentriXentri

Hi, The following article could be helpful for your work: Tracking Logon and Logoff Activity in Windows 2000 http://technet.microsoft.com/en-us/library/bb742436.aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for reply I read this article but I didn't find any better information then event 538 connected with Logon ID. Anyone has idea ? Best regards, XentriXentri