I want to track users' logon and logoff times to our domain. I've enabled success and failure auditing for both the Audit logon events and Audit account logon events categories in our domain controller's (DC's) audit policy. When I look at the DC's Security logs, I find users' logon times but not their logout times. Is it possible to determine user logon and logout time by looking at DC Security logs?

Unfortunately, no. DCs perform only the initial user authentication—they don't track how long users remain logged on interactively at workstations or connected to servers. You must look for event ID 528 (Successful Logon) and event ID 538 (Logon Failure) in the Security log on each workstation to determine a user's exact logon and logoff time. For more information, see "Tracking Logon and Logoff Activity in Win2K," InstantDoc ID 16430.

—Randy Franklin Smith

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Like I already noticed in the magazine you claim that eventid 538 is for Logon Failure... well check again it's Logoff eventid... (in windows server 2003 can't imaging that MS changed it.)

mutsje- November 25, 2004

Article Rating 1 out of 5

 
 

ADS BY GOOGLE