Auditing User logon and logoff, from the event logs on the domain controllers
From: Paul (pwilkins_at_utk.edu)
Date: 04/08/04
- Next message: Simon Geary: "Re: repair ntds.dit"
- Previous message: anonymous_at_discussions.microsoft.com: "ROOT$, or hidden users"
- Next in thread: Herb Martin: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Reply: Herb Martin: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Reply: Rykel: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Messages sorted by: [ date ] [ thread ]
Date: 8 Apr 2004 11:48:57 -0700
I'm trying to build statistics on computer lab usage based on the log
on, log off events registered on AD domain controllers.
On individual machines it's pretty easy to determine what's a logon
and what's a logoff. Logon is event id 528, type 2 and logoff is 538
type 3. Getting that same info from the DC's appears more
complicated. 528 applies to only local logons, so can't use that.
I've found that anyone logging on always generates an event id 673, or
kerberos ticket granted. But what about logoffs? Logging off
generates 538's, but the problem is that I see a bunch a 538's when a
users logs in too. Is there a way to accuratly figure out when
someone logs off?
- Next message: Simon Geary: "Re: repair ntds.dit"
- Previous message: anonymous_at_discussions.microsoft.com: "ROOT$, or hidden users"
- Next in thread: Herb Martin: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Reply: Herb Martin: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Reply: Rykel: "Re: Auditing User logon and logoff, from the event logs on the domain controllers"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
