I second that - there are a lot of logon events that are not going to be logged on a DC - locking and unlocking the computer for example. In addition, the logon event from the DC does not tell you what computer they logged on to, plus there are a ton of different scenarios where authentication is required, resulting in a logon event being recorded on the DC. Grabbing the event logs from the computer(s) in question is the best way to know when a user actually logged on, imho. BTW, we had to do this last year for a HR issue involving an employee they did not think was performing their job. Event id 528 would be the login, but within that 528, login type 2 would be the console login, login type 7 would be unlocking the workstation, and login type 11 would be the cached interactive login where the user logs in with cached credentials and later authenticates to the DC.
Thanks, James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Posted At: Thursday, February 07, 2008 9:56 PM Posted To: NTSysadmin Conversation: software to monitor users login and logoff Subject: Re: software to monitor users login and logoff On 2/7/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Remember that if you have multiple DC's that the last logon is > registered on the DC they authenticated to and it doesn't replicate to > other DC's. There are scripts out there that will poll all the DC's and > give you that info but you have to put it together. That's why I said: " Actually, you might want to put the Snare client on the workstations instead." That way you can capture logon events more directly. Of course, it means setting auditing for each of the workstations, but that's not terribly onerous, and the Snare client includes facilities for remote self-installation. Should be pretty painless, really. Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
