The DCs are the correct place, unless, as noted, she is logging in with a local account. The thing you want to look at is lastlogondate, using powershell - it's a calculated/converted version of the value for lastlogontimestamp, which is replicated amongst the DCs. Thus, you only have to query one DC/GC, rather than all of them. Query every 15 minutes or so each morning, to get a good idea of logon times. See this for some examples:
http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx Of course, if she hares off to meetings first thing each morning, before ever touching her machine, it won't be accurate. Perhaps more accurate (and perhaps not, given tailgating, etc.) would be records from your cardkey system, if you have one. Kurt On Fri, Jul 10, 2015 at 12:22 PM, David McSpadden <[email protected]> wrote: > Mostly I am trying to let management know if a department manager is > even coming in and when. > > Right now it looks like she is coming in around 9:30 instead of 7:30. > > I would like to know for sure though. > > I was thinking the interactive (2) on the workstation but everyone is > saying the dc’s (I have 5 total) should be where to get my info. > > > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kibble,Tony > *Sent:* Friday, July 10, 2015 3:17 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: user logged in time > > > > Very basic, I am not a scripter by any means > > > > Have this in a file called logon.cmd in the NETLOGON folder and call it > via GPO > > > > echo Log-on Script: Login From: %COMPUTERNAME%, User Name: %USERNAME%, > Date: %DATE%, Time: %TIME% >> \\Servername\Sharename\%username%.csv > > > > and this one in a file called Logoff.cmd > > > > echo Log-off Script: Log-off From: %COMPUTERNAME%, User Name: %USERNAME%, > Login Date: %DATE%, Login Time: %TIME% >> \\Servername\Sharename > \%username%.csv > > > > But it works for me. > > > > *Tony * > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *J- P > *Sent:* 10 July 2015 19:05 > *To:* NT > *Subject:* RE: [NTSysADM] RE: user logged in time > > > > Would you mind sharing it? > > > Jean-Paul Natola > > ------------------------------ > > From: [email protected] > To: [email protected] > Subject: [NTSysADM] RE: user logged in time > Date: Fri, 10 Jul 2015 07:04:05 +0000 > > > http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html > > > > This has always been the site I refer back to for the various codes that > each type of logon and logoff event relates to. I also have a logon and > logoff script attached to a GPO which logs the user name, device name and > time to an excel spreadsheet on a central share, one for each person making > it easy to find if needed. > > > > *Tony * > > > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Stephen Gestwicki > *Sent:* 09 July 2015 22:52 > *To:* [email protected] > *Subject:* [NTSysADM] RE: user logged in time > > > > A quick bing search (you read that right) showed me this that contains the > events for logon and logoff along with session connections, locked > workstations, and the screensaver. You may also want to watch for idle > events too. > > > http://www.morgantechspace.com/2013/10/tracking-user-logon-activity-using.html > > > > - Stephen > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Boyles, Peter J {BIS} > *Sent:* Thursday, July 09, 2015 5:28 PM > *To:* [email protected] > *Subject:* [NTSysADM] RE: user logged in time > > > > > > Enable audit of security events for success and failure of logon and > logoff > > > > Check security event log for: > > Event ID 4648 Logon > > Event ID 4634 Logoff > > > > > > *Peter Boyles* > > *BIS Engineering Analyst * > > *PepsiCo Inc. | Global End User Services | GEUS Deploy* > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *David McSpadden > *Sent:* Thursday, July 9, 2015 12:54 PM > *To:* [email protected] > *Subject:* [NTSysADM] user logged in time > > > > I want to see in general when a user logged into a workstation. > > > > So I am looking in the local workstation, Security events, for ….what?? > > > > > > *David McSpadden* > > Systems Administrator > > Indiana Members Credit Union > > P: 317.554.8190 | F: 317.554.8106 > > [image: Description: imcu email icon] <http://imcu.com/> [image: > Description: facebook email icon] > <https://www.facebook.com/IndianaMembersCU> [image: Description: twitter > email icon] <https://twitter.com/IndMembersCU> > > > > [image: Description: email logo] > > [image: mcp2] > > > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > > > Please consider the environment before printing this email. > > > ------------------------------ > > > DISCLAIMER > > This material has been checked by us for computer viruses and, although > none has been found, we cannot guarantee that it is completely free from > such problems and we do not accept liability for loss or damage which may > be caused. > > This message is intended only for use of the individual or entity to whom > it is addressed and may contain information which may be privileged and > confidential. If you are not the intended recipient you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this e-mail in error, please > notify the sender immediately via e-mail and delete the message. Thank you. > > ******************************************************* > > Travelers Insurance Company Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority in > the UK and is regulated by the Central Bank of Ireland for conduct of > business rules. Registered in England 1034343. Registered as a branch in > Ireland 903382. > > Travelers Syndicate Management Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and > the Prudential Regulation Authority. Registered in England 03207530. > > Travelers Underwriting Agency Limited is authorised and regulated by the > Financial Conduct Authority. Registered in England 03708247. > > Travelers Professional Risks Limited is an appointed representative of > Travelers Insurance Company Limited which is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and > the Prudential Regulation Authority. Registered in England 05201980 > > Travelers Management Limited. Registered in England 00972175. > > The registered offices for all companies listed above is: Exchequer Court, > 33 St Mary Axe, London, EC3A 8AG. > All other branch offices are available from our websites. > > travelers.co.uk > travelers.ie > > Issues to: mailto: [email protected] > ------------------------------ > > This communication, including attachments, is confidential, may be subject > to legal privileges, and is intended for the sole use of the addressee. Any > use, duplication, disclosure or dissemination of this communication, other > than by the addressee, is prohibited. If you have received this > communication in error, please notify the sender immediately and delete or > destroy this communication and all copies. > > TRVDiscDefault::1201 > > > ------------------------------ > > > DISCLAIMER > > This material has been checked by us for computer viruses and, although > none has been found, we cannot guarantee that it is completely free from > such problems and we do not accept liability for loss or damage which may > be caused. > > This message is intended only for use of the individual or entity to whom > it is addressed and may contain information which may be privileged and > confidential. If you are not the intended recipient you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this e-mail in error, please > notify the sender immediately via e-mail and delete the message. Thank you. > > ******************************************************* > > Travelers Insurance Company Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority in > the UK and is regulated by the Central Bank of Ireland for conduct of > business rules. Registered in England 1034343. Registered as a branch in > Ireland 903382. > > Travelers Syndicate Management Limited is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and > the Prudential Regulation Authority. Registered in England 03207530. > > Travelers Underwriting Agency Limited is authorised and regulated by the > Financial Conduct Authority. Registered in England 03708247. > > Travelers Professional Risks Limited is an appointed representative of > Travelers Insurance Company Limited which is authorised by the Prudential > Regulation Authority and regulated by the Financial Conduct Authority and > the Prudential Regulation Authority. Registered in England 05201980 > > Travelers Management Limited. Registered in England 00972175. > > The registered offices for all companies listed above is: Exchequer Court, > 33 St Mary Axe, London, EC3A 8AG. > All other branch offices are available from our websites. > > travelers.co.uk > travelers.ie > > Issues to: mailto: [email protected] > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited. > > Please consider the environment before printing this email. >
