Log-in log-out

[Mhaxx]

Is there a log file which stores date/time of every log-in and log-out?

Mhaxx

 

[John John]

Re: Log-in log-out

Tracking Logon and Logoff Activity in Windows 2000
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx

John

Mhaxx wrote:

> Is there a log file which stores date/time of every log-in and log-out?
>
> Mhaxx
>
>

 

[Mhaxx]

Re: Log-in log-out

>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx

But on the security log you can only find failed accesses: am I wrong?

Mhaxx

 

[John John]

Re: Log-in log-out



Mhaxx wrote:
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
>
> But on the security log you can only find failed accesses: am I wrong?

Enable successful logon events (in Group Policy/Audit Policy). You
should see events 528 on successful logons, if you only see failures you
are probably only auditing failed events.

John

 

[Mhaxx]

Re: Log-in log-out

> Enable successful logon events (in Group Policy/Audit Policy). You
> should see events 528 on successful logons, if you only see failures you
> are probably only auditing failed events.

Sorry for the late, but where have I to enable successful lonon events?
Where can I find Group Policy, ecc.. ?

Mhaxx

 

[John John]

Re: Log-in log-out

Mhaxx wrote:

>>Enable successful logon events (in Group Policy/Audit Policy). You
>>should see events 528 on successful logons, if you only see failures you
>>are probably only auditing failed events.
>
>
> Sorry for the late, but where have I to enable successful lonon events?
> Where can I find Group Policy, ecc.. ?

Click on Start | Run and enter gpedit.msc

Look in:

Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\Audit account logon events

When you double click on "Audit account logon events" you will see the
options to set the Success, Failure audits.

John

 

[Mhaxx]

Re: Log-in log-out

> Click on Start | Run and enter gpedit.msc
>
> Look in:
>
> Local Computer Policy\Computer Configuration\Windows Settings\Security
> Settings\Local Policies\Audit Policy\Audit account logon events
>
> When you double click on "Audit account logon events" you will see the
> options to set the Success, Failure audits.

Just checked both: success and failure but even if I restart my PC (to
log-in) no 528 event is found! Maybe the problem could be related to the
fact on the 3rd columns of the "Audit account logon events" is written that
the only valid setting is the failure.. and not the success: what do you
think?

Mhaxx

 

[John John]

Re: Log-in log-out

There are two logon event policies. In addition to the policy already
in place also enable the "Audit logon events" policy, you should then
see Events 528. The two policies are:

Audit account logon events
Audit logon events

Audit account logon events will record events 680 and 681.

Audit logon events will record events 528 and 529.

John

Mhaxx wrote:

>>Click on Start | Run and enter gpedit.msc
>>
>>Look in:
>>
>>Local Computer Policy\Computer Configuration\Windows Settings\Security
>>Settings\Local Policies\Audit Policy\Audit account logon events
>>
>>When you double click on "Audit account logon events" you will see the
>>options to set the Success, Failure audits.
>
>
> Just checked both: success and failure but even if I restart my PC (to
> log-in) no 528 event is found! Maybe the problem could be related to the
> fact on the 3rd columns of the "Audit account logon events" is written that
> the only valid setting is the failure.. and not the success: what do you
> think?
>
> Mhaxx
>
>

 

[Mhaxx]

Re: Log-in log-out

> Audit account logon events
> Audit logon events

Checked both (success and failure) for both kind of events, but no 528
events found.. :-(

> Audit account logon events will record events 680 and 681.
>
> Audit logon events will record events 528 and 529.

After my my last log-on I can see only events of this type:
- 514
- 512
- 515
- 612
- 518
- 642
- 628

Why?!

Mhaxx

 

[John John]

Re: Log-in log-out

Mhaxx wrote:
>>Audit account logon events
>>Audit logon events
>
>
> Checked both (success and failure) for both kind of events, but no 528
> events found.. :-(
>
>
>>Audit account logon events will record events 680 and 681.
>>
>>Audit logon events will record events 528 and 529.
>
>
> After my my last log-on I can see only events of this type:
> - 514
> - 512
> - 515
> - 612
> - 518
> - 642
> - 628
>
> Why?!

I don't know, works here on my stand alone workstation. You are sure
that the policies Local Setting and Effective Setting are both shown as
being "Success, Failure"? If you are logging on to a Domain Controller
the events will be logged on the DC and not on the workstation, domain
policies override local policies.

Another possibility might be that there is filtering in the Security
Log. Highlight the Security Log and right-click on it. Select
Properties and then click on the Filter tab, and click on the Restore
Defaults button.

John

 

[Mhaxx]

Re: Log-in log-out

> I don't know, works here on my stand alone workstation. You are sure
> that the policies Local Setting and Effective Setting are both shown as
> being "Success, Failure"? If you are logging on to a Domain Controller
> the events will be logged on the DC and not on the workstation, domain
> policies override local policies.

To be honest I'm working in the network of my Company but I don't know if
this causes this kind of problems.. :-(

> Another possibility might be that there is filtering in the Security
> Log. Highlight the Security Log and right-click on it. Select
> Properties and then click on the Filter tab, and click on the Restore
> Defaults button.

One moment.. there are 3 columns under Audit Policy for Audit account logon
events:
- Audit: Audit account logon events
- Local setting: success and failure
- Valid setting: failure

Is it normal valid setting has only failure and not both ones?

Mhaxx

 

[Mhaxx]

Re: Log-in log-out

> To be honest I'm working in the network of my Company but I don't know if
> this causes this kind of problems.. :-(

Bad news: my admin said domain overrides our settings.. :-(

Anyway thanks for your help,

Mhaxx

 

[John John]

Re: Log-in log-out

Mhaxx wrote:

>>I don't know, works here on my stand alone workstation. You are sure
>>that the policies Local Setting and Effective Setting are both shown as
>>being "Success, Failure"? If you are logging on to a Domain Controller
>>the events will be logged on the DC and not on the workstation, domain
>>policies override local policies.
>
>
> To be honest I'm working in the network of my Company but I don't know if
> this causes this kind of problems.. :-(
>
>
>>Another possibility might be that there is filtering in the Security
>>Log. Highlight the Security Log and right-click on it. Select
>>Properties and then click on the Filter tab, and click on the Restore
>>Defaults button.
>
>
> One moment.. there are 3 columns under Audit Policy for Audit account logon
> events:
> - Audit: Audit account logon events
> - Local setting: success and failure
> - Valid setting: failure
>
> Is it normal valid setting has only failure and not both ones?

The Valid (Effective) setting would have to be set for Sucess if you
want to log logon events. You are only auditing Failures, these would
only record when someone tried to logon but failed.

In addition to "Audit account logon events" you shoul also log "Audit
logon events"

John

 

[John John]

Re: Log-in log-out

Mhaxx wrote:

>>To be honest I'm working in the network of my Company but I don't know if
>>this causes this kind of problems.. :-(
>
>
> Bad news: my admin said domain overrides our settings.. :-(
>
> Anyway thanks for your help,

You're welcome.

John