This post explains where to look for user logon events in the event viewer and how we can write out logon events to a text file with a simple script.
To view AD user logon times, set ‘Audit Logon events’ to ‘Success’ in the Default Domain Controllers Policy. When a user logs on you will receive the Event ID 540 (2003) or Event ID 4624 (2008) in the security log of the logonserver used.
Again, ‘Audit Logon events’ needs to be set to success, you can do this in the Default Domain Policy. When a user logs on you will receive the Event ID of 528 (XP) or Event ID 4624 (W7) in the security log of the local computer.
Write Logons to Text File
This is a nice method for quickly viewing and searching for a User logon event within a single text file. Create a logon script and apply this to all users in your domain.
echo %logonserver% %username% %computername% %date% %time% >> \\server\share$\logon.txt
This outputs the logonserver (server the user authenticated against), username, computername, date and time to a file called logon.txt. This method isn’t particularly secure, as users will need to have the permissions to write to the file, you can put it in a hidden share like I have done above which adds a slight level of security (by obscurity), but it’s something to be aware of.
Now you can open this single file and view all user logons. You could do the same for logoff if is you so desired.
If you’d like to view the ‘live update’ of this text file you can use an application called Tailme. This polls updates and adds them to a new line, quite handy if you are looking for a particular user to logon or if you want to see if that user has
really restarted their machine…
You can set it to sit in the tray and a single click will bring it up. Here is the config I use.