Difference between revisions of "Windows"
Jump to navigation
Jump to search
| Line 4: | Line 4: | ||
** your network may not be win2003 network at all. you may entertain win2000 or even serverless network. | ** your network may not be win2003 network at all. you may entertain win2000 or even serverless network. | ||
| − | *FIRST you have to start logon / logoff loging on machines monitored. Those are events 528 | + | *FIRST you have to start logon / logoff loging on machines monitored. Those are events 528 for logon and 538 for logoff. More on Microsoft [http://www.microsoft.com/technet/security/bestprac/bpent/sec3/monito.mspx Event ID] |
| + | **Take care you dont confuse these with 'account logon' events which are something else and have different IDs | ||
** you can start logging of these either locally or via group policy | ** you can start logging of these either locally or via group policy | ||
Revision as of 13:01, 24 March 2006
- You have windows network and you would like monitor user login / logoff.
- You have already searched the web and usenet trying to find suitable recipies but found none to concise
- Windows 2003 server came with heaps of new auditing features and many of those are published but silent fact remains, that simple logon / logoff monitoring is not part of default reports.
- your network may not be win2003 network at all. you may entertain win2000 or even serverless network.
- FIRST you have to start logon / logoff loging on machines monitored. Those are events 528 for logon and 538 for logoff. More on Microsoft Event ID
- Take care you dont confuse these with 'account logon' events which are something else and have different IDs
- you can start logging of these either locally or via group policy
Audit Logon/Logoff success events. The logon (528/540) and logoff (538
