M
Mhaxx
Is there a log file which stores date/time of every log-in and log-out?
Mhaxx
Mhaxx
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
John John
Tracking Logon and Logoff Activity in Windows 2000
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
John
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
John
M
Mhaxx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
But on the security log you can only find failed accesses: am I wrong?
Mhaxx
But on the security log you can only find failed accesses: am I wrong?
Mhaxx
J
John John
Mhaxx said:http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
But on the security log you can only find failed accesses: am I wrong?
Enable successful logon events (in Group Policy/Audit Policy). You
should see events 528 on successful logons, if you only see failures you
are probably only auditing failed events.
John
M
Mhaxx
Enable successful logon events (in Group Policy/Audit Policy). You
Sorry for the late, but where have I to enable successful lonon events?
Where can I find Group Policy, ecc.. ?
Mhaxx
should see events 528 on successful logons, if you only see failures you
are probably only auditing failed events.
Sorry for the late, but where have I to enable successful lonon events?
Where can I find Group Policy, ecc.. ?
Mhaxx
J
John John
Mhaxx said:Sorry for the late, but where have I to enable successful lonon events?
Where can I find Group Policy, ecc.. ?
Click on Start | Run and enter gpedit.msc
Look in:
Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\Audit account logon events
When you double click on "Audit account logon events" you will see the
options to set the Success, Failure audits.
John
M
Mhaxx
Click on Start | Run and enter gpedit.msc
Just checked both: success and failure but even if I restart my PC (to
log-in) no 528 event is found! Maybe the problem could be related to the
fact on the 3rd columns of the "Audit account logon events" is written that
the only valid setting is the failure.. and not the success: what do you
think?
Mhaxx
Look in:
Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\Audit account logon events
When you double click on "Audit account logon events" you will see the
options to set the Success, Failure audits.
Just checked both: success and failure but even if I restart my PC (to
log-in) no 528 event is found! Maybe the problem could be related to the
fact on the 3rd columns of the "Audit account logon events" is written that
the only valid setting is the failure.. and not the success: what do you
think?
Mhaxx
J
John John
There are two logon event policies. In addition to the policy already
in place also enable the "Audit logon events" policy, you should then
see Events 528. The two policies are:
Audit account logon events
Audit logon events
Audit account logon events will record events 680 and 681.
Audit logon events will record events 528 and 529.
John
in place also enable the "Audit logon events" policy, you should then
see Events 528. The two policies are:
Audit account logon events
Audit logon events
Audit account logon events will record events 680 and 681.
Audit logon events will record events 528 and 529.
John
M
Mhaxx
Audit account logon events
Checked both (success and failure) for both kind of events, but no 528
events found.. :-(
After my my last log-on I can see only events of this type:
- 514
- 512
- 515
- 612
- 518
- 642
- 628
Why?!
Mhaxx
Audit logon events
Checked both (success and failure) for both kind of events, but no 528
events found.. :-(
Audit account logon events will record events 680 and 681.
Audit logon events will record events 528 and 529.
After my my last log-on I can see only events of this type:
- 514
- 512
- 515
- 612
- 518
- 642
- 628
Why?!
Mhaxx
J
John John
Mhaxx said:Checked both (success and failure) for both kind of events, but no 528
events found.. :-(
After my my last log-on I can see only events of this type:
- 514
- 512
- 515
- 612
- 518
- 642
- 628
Why?!
I don't know, works here on my stand alone workstation. You are sure
that the policies Local Setting and Effective Setting are both shown as
being "Success, Failure"? If you are logging on to a Domain Controller
the events will be logged on the DC and not on the workstation, domain
policies override local policies.
Another possibility might be that there is filtering in the Security
Log. Highlight the Security Log and right-click on it. Select
Properties and then click on the Filter tab, and click on the Restore
Defaults button.
John
M
Mhaxx
I don't know, works here on my stand alone workstation. You are sure
To be honest I'm working in the network of my Company but I don't know if
this causes this kind of problems.. :-(
One moment.. there are 3 columns under Audit Policy for Audit account logon
events:
- Audit: Audit account logon events
- Local setting: success and failure
- Valid setting: failure
Is it normal valid setting has only failure and not both ones?
Mhaxx
that the policies Local Setting and Effective Setting are both shown as
being "Success, Failure"? If you are logging on to a Domain Controller
the events will be logged on the DC and not on the workstation, domain
policies override local policies.
To be honest I'm working in the network of my Company but I don't know if
this causes this kind of problems.. :-(
Another possibility might be that there is filtering in the Security
Log. Highlight the Security Log and right-click on it. Select
Properties and then click on the Filter tab, and click on the Restore
Defaults button.
One moment.. there are 3 columns under Audit Policy for Audit account logon
events:
- Audit: Audit account logon events
- Local setting: success and failure
- Valid setting: failure
Is it normal valid setting has only failure and not both ones?
Mhaxx
M
Mhaxx
To be honest I'm working in the network of my Company but I don't know if
Bad my admin said domain overrides our settings.. :-(
Anyway thanks for your help,
Mhaxx
this causes this kind of problems.. :-(
Bad my admin said domain overrides our settings.. :-(
Anyway thanks for your help,
Mhaxx
J
John John
Mhaxx said:To be honest I'm working in the network of my Company but I don't know if
this causes this kind of problems.. :-(
One moment.. there are 3 columns under Audit Policy for Audit account logon
events:
- Audit: Audit account logon events
- Local setting: success and failure
- Valid setting: failure
Is it normal valid setting has only failure and not both ones?
The Valid (Effective) setting would have to be set for Sucess if you
want to log logon events. You are only auditing Failures, these would
only record when someone tried to logon but failed.
In addition to "Audit account logon events" you shoul also log "Audit
logon events"
John
J
John John
Mhaxx said:Bad my admin said domain overrides our settings.. :-(
Anyway thanks for your help,
You're welcome.
John