I've had a request to provide logon/logoff times for a specific set of employees, from 6 months ago. At the time, we were a Win 2003 AD shop (since upgraded to Win 2008 R2 AD shop). We installed all new hardware, and upgraded that way, then retired the old hardware.
Besides the fact that I don't think we were auditing "successful" logins, only failed logins, I need to at least see if I can get this information. I thought that it would be in the event logs of the DCs at that time. I have backups of the DCs. (we use EMC Networker, backing up all DCs in FULL every night). I figured I would restore the event log, and open the old log with the current DC and look in the log. But I don't see any event log files (*.evt) in the location c:\windows\system32\config. The only *.evt files I see are in C:\Windows\Repair\Backup\ServiceState\EventLogs Can that be right? Am I misunderstanding where the logs are? They do have a modification date that corresponds to the backup date, so they're not old, obsolete files. Am I just spinning my wheels unnecessarily here? Can I just restore an event log? (hopefully it will have the info I need) Thanks ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
