On Wed, Mar 5, 2008 at 12:48 PM, Joe Heaton <[EMAIL PROTECTED]> wrote: > For instance, there's a handful of entries for one of our developers, > all saying Account Login, for today, but he left his machine on > all night, and unlocked it this morning, so he hasn't logged into > the network at all.
I believe unlocking a session only generates an Event Viewer entry on the host being unlocked, not on the DC. The Event ID is the same as a regular initial logon, but the text details show a different logon type. Not very helpful, if you ask me. The consensus seems to be forward events from workstations to a central event collection machine, and then filter there. I've seen suggestions of DIY solutions using an Event Log-to-syslog agent and any of the various syslog watching tools, or commercial products that do it all for you. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
