how to track users session in XP

  • Thread starter Thread starter eric
  • Start date Start date
E

eric

Hi,
Is there, in Windows XP, a way to check what users have logged on and
when?

I suspect someone entered my office without authorization and logged on
using a guest
account that was left without password. I want to be able to verify
this.
thanks.
 
Event Viewer.

The security log records events such as valid and invalid logon attempts.

To open the Event Viewer...
Start | Run | Type: eventvwr | Click OK

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
I just run eventvwr. I get three categories: applications (which
records errors occuring in applications), security, and system.
None of them show session start/end info, or any activity at the time
when I suspect the break-in occurred.
Security is actually empty (no events).
How do I turn session monitoring on?
 
Right click Security | Properties | Filter tab |
Make sure that all Event types are selected.

If XP Pro, Group Policy. I have no idea with XP Home.

Start | Run | Type: gpedit.msc | Click OK |

Set both Audit account logon events & Audit logon events for Success &
Failure

From Group Policy HELP...

[[Audit account logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on to or logging
off from another computer in which this computer is used to validate the
account.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when an account logon attempt succeeds.
Failure audits generate an audit entry when an account logon attempt fails.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

If success auditing for account logon events is enabled on a domain
controller, an entry is logged for each user who is validated against that
domain controller, even though the user is actually logging on to a
workstation that is joined to the domain.

Default:
No auditing for domain controllers.
Undefined for a member computer. ]]

[[Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit each instance of a user logging on to, logging
off from, or making a network connection to this computer.

If you are logging successful Audit account logon events on a domain
controller, workstation logon attempts do not generate logon audits. Only
interactive and network logon attempts to the domain controller itself
generate logon events. In short, "account logon events" are generated where
the account lives; "logon events" are generated where the logon attempt
occurs.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a logon attempt succeeds. Failure audits
generate an audit entry when a logon attempt fails. To set this value to no
auditing, in the Properties dialog box for this policy setting, select the
Define these policy settings check box and clear the Success and Failure
check boxes.

Default: No auditing.]]

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
thanks a lot. I just did what you suggested and verified that now
succesfull and unsuccefull attempts are tracked.
now all I need to do is to install a motion-activated webcam...
 
I can help with that also, but it'll cost ya! ;-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Back
Top