Re: Login/logout information
From: Austin M. Horst (anonymous_at_discussions.microsoft.com)
Date: 02/05/04
- Next message: Tim Fleenor: "expired/lost password"
- Previous message: Joseph Conway [MSFT]: "Re: I've had enough"
- In reply to: Mark Chimes: "Re: Login/logout information"
- Next in thread: Mark Chimes: "Re: Login/logout information"
- Reply: Mark Chimes: "Re: Login/logout information"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 5 Feb 2004 12:31:08 -0800
Turn on Auditing of "Account Logon Events"
in Windows 2000 Server:
Click [Start]
Settings
Control Panel
Administrative Tools
Active Directory Users and Computers
Right-click on your domain name in the console tree
Click Properties
Group Policy tab
Click [Edit]
In the left pane, navigate to...
+ Computer Configuration
+ Windows Settings
+ Security Settings
+ Local Policies
+ Audit Policy
Right-click "Audit account logon events"
Click Security
Check the box next to "Audit successful"
Click OK
Right-click "Audit logon events"
Click Security
Check the box next to "Audit successful"
Click OK
"Auditing in Windows 2000 Server"
http://www.microsoft.com/windows2000/techinfo/reskit/en-us/iisbook/c09_auditing_in_windows_2000_server.asp
"Audit Account Logon Events"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.asp
"Tracking Logon and Logoff Activity in Windows 2000"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.asp
Microsoft Knowledge Base Article - 174073
"Auditing User Authentication"
http://support.microsoft.com/support/kb/articles/q174/0/73.asp
---------------------------------------
VB Scripts are available from Microsoft's site (and many others) to query the Event Log for specific events:
"Querying Event Logs"
http://www.microsoft.com/technet/scriptcenter/scrguide/sas_log_udqz.asp
"Querying a Specific Event Log"
http://www.microsoft.com/technet/scriptcenter/scrguide/sas_log_dsts.asp
"Querying an Event Log for a Subset of Events"
http://www.microsoft.com/technet/scriptcenter/scrguide/sas_log_ozcc.asp
"Retrieving Event Log Records from a Specified Day"
http://www.microsoft.com/technet/scriptcenter/scrguide/sas_log_lfas.asp
---------------------------------------
"Copy Event Log Events to a Database"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog07.asp
"Copy Previous Days Event Log Events to a Database"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog08.asp
"Query a Specific Event Log"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog13.asp
"Retrieve All Events from an Event Log"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog15.asp
"Retrieve Events For One Day from an Event Log"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog17.asp
"Retrieve Specific Events from an Event Log"
http://www.microsoft.com/technet/scriptcenter/logs/scrlog16.asp
You don't want to be looking for "Logon" Event ID: 540 because that number is used
when you map a drive to a server, connect to the server's registry, and perform a network logon.
A query on ID: 540 would make it appear that logon events are occuring more frequently than they actually are.
Austin M. Horst
- Next message: Tim Fleenor: "expired/lost password"
- Previous message: Joseph Conway [MSFT]: "Re: I've had enough"
- In reply to: Mark Chimes: "Re: Login/logout information"
- Next in thread: Mark Chimes: "Re: Login/logout information"
- Reply: Mark Chimes: "Re: Login/logout information"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
