Date and time stamp

  • Thread starter Thread starter donald
  • Start date Start date
D

donald

Hi all,

I have a group of 10 computer on a domain with one server and i need to
find out when one user in my domain was logon and logout and when they
lock there computer. for the last 6 months. the user only users one
computer which made this a little better.

the server is windows 2003 server and the client is using windows xp
SP2

Any help would really time

thanks a lot

dorling
 
donald said:
I have a group of 10 computer on a domain with one server and i
need to find out when one user in my domain was logon and logout
and when they lock there computer. for the last 6 months. the user
only users one computer which made this a little better.

the server is windows 2003 server and the client is using windows xp
SP2

Any help would really time
Click to expand...

Do you use logon scripts in your domain? (you should)
If so (or if not - do now) - just add to the logon script for the domain
something as simple (assuming batch script logon scripts):

ECHO %USERNAME% logged into %COMPUTERNAME% on %DATE% at %TIME% >>
\\SERVER\SHARE\logon.log

(Or something similar.)

As for locking the screen and keeping track of that - wow - why?! Anyway -
I have a few random ideas of how to do that - but I will let anyone else who
might have had reason to do that chime in.
 
Hi,

thanks for your quick reply.

i will put that in to the logon scripts which will help. But is there
any way of finding out of for the last 6 months??

and please do post your ideas for locking the screen???
 
I have a group of 10 computer on a domain with one server
and i need to find out when one user in my domain was logon
and logout and when they lock there computer. for the last 6
months. the user only users one computer which made this
a little better.
Click to expand...

The only way I know to check activation of a locked screen is to turn on
auditing. I was faced with this once. In the Event log I could see not only
initial logon/logoff info, but also each time the user "logged on" to break
the screen saver. They had different Event numbers. Although the info logged
was virtually identical.

If auditing has not been turned on I don't believe you will be able to do
any of this.

To answer Shenan's question about why... the reason I had to do it was to
help security collect all the facts before accusing someone in my org of
unauthorized use of government resources. Specifically, I had to provide my
firewall logs showing certain unauthorized web sites visited, by a specific
machine, at a specific time, but I had to go to the individual machine's
audit logs to prove that one specific individual was logged on when these
indiscretions occurred. This config was U.S. Govt mandated. Without
incorporating the ability to track this they would not have let me install
Internet access at all.

In case you are curious, the offender was properly counseled by security and
his supervisor. Turns out he was collecting overtime pay for the whole
weekend while spending well over 8 hours aggressively surfing prohibited (by
written security policy) sites.

-Frank
 
donald said:
i will put that in to the logon scripts which will help. But is there any
way of finding out of for the last 6 months?? and please do post your
Click to expand...

Scan your domain controller event logs (if only one server) for account
logon events. Search for a tool called "log Parser" which may help you with
filtering and searching. Log Parser is free tool. The data will be in there
if the logs go back that far (possible if only a small environment). As for
capturing locking the screen, I really can't think of how you can pull that
data. It certainly isn't logged by default, even on the workstation itself.

528 successfull logon
551 user initiated logoff
538 user logoff
 
Todd J Heron said:
Scan your domain controller event logs (if only one server) for account
logon events. Search for a tool called "log Parser" which may help you
with
filtering and searching. Log Parser is free tool. The data will be in
there
if the logs go back that far (possible if only a small environment). As
for
capturing locking the screen, I really can't think of how you can pull
that
data. It certainly isn't logged by default, even on the workstation
itself.

528 successfull logon
551 user initiated logoff
538 user logoff
Click to expand...

If you look at the details of events 528 and 538 carefully you will see that
the "Logon Type" is 7 for a screen saver break and 2 for a normal logon.

-Frank
 
i can only do this if f auditing has not been turned on right how do i
check this??

thansk for your info??

Dorling
 
i can only do this if f auditing has not been turned on right
how do i check this??

thansk for your info??

Dorling
Click to expand...

Actually (what I think you meant, anyway) you can only do this is auditing
*has* been turned on on the local workstation. To check, just go to Start |
Programs | Administrator Tools | Local Security Policies. Click on Audit
Policies in the left pain, then right-click on Audit account logon events
and Audit logon events and select auditing for both failure and success.
Apply.

You can then Ctrl-Alt-Del to lock the screen, supply your password to break
the lock and you will see your logged results in the event viewer under
security. (You might have to refresh the view to see this right away if you
do this fairly quickly)

-Frank
 
Back
Top