General discussion


Proof of user login dates/times

By fvv ·
How do I get proof from AD that a user has logged onto the domain with time & date stamp? Our users by default gets re-directed to a policy compliance screen which they have to agree to before using the network. In case of legal action, we need to proof that the user has logged onto the domain after reading the policy screen. This data/logs will be stored on a seperate server and kept for at least 5 years.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Proof of user login dates ...

Windows 2000 uses the Audit logon events category when a user logs on interactively (i.e., at the local keyboard and screen) or remotely (i.e., from over the network). The Logon Type field in the event's description contains a number that specifies the logon's nature: interactive (2), network (3), batch (4), service (5), unlocked workstation (7), network logon using a cleartext password (8), or impersonated logons (9).

As in NT, event ID 528 describes a successful logon. However, whereas NT used event ID 528 for every type of logon, Windows 2000 uses a different event ID for network logons. When you map a drive to a server, connect to the server's registry, or otherwise perform a network logon, Windows 2000 logs the new event ID 540. This new event is useful because it lets you separate network logons from other logon types. (I'd like Microsoft to create a separate event for the other important logon type: interactive logons.)

As Event Logs are limited to 300 megabytes, you will need to either manually move the logs into storage, which is a large administrative headache, or use a third party solution which will move the log into long-term storage. I know that Quest Sofware, Computer Associates and numerous other vendors offer products which perform these tasks.

Collapse -

by entawanabi In reply to Proof of user login dates ...

Call your legal department, if as stated then you Must Buy Something that is for that reason to stand up in court, if you cobble something together or violate the copyrights and patentsa by chopping it out of something else and scab it on then you are liable in court.

Collapse -

by Jacky Howe In reply to Proof of user login dates ...

This section goes into your logon script.

set timer=C:\%computername%.txt
echo %computername% >%timer%
echo %username% >>%timer%
echo %date% >>%timer%
echo %time% >>%timer%

call c:\comp.bat

Create a Batch File called Comp.bat with the following information and place it in the root dir on each workstation.
Redirect the file to a hidden share on the server.EG. type %computername%.txt >> \\servername\wslogs$\%computername%.txt
@echo off
type %computername%.txt >> \%computername%.txt
del c:\%computername%.txt

Output will look like this

Fri 17/02/2006
Fri 17/02/2006

This is similar to what i had to do at a High School that i worked for to stop vandalism.
It was a lot quicker to find the culprit.

I tried to keep it simple you can test this on a standard PC.

Regards Rob

Collapse -

by Jacky Howe In reply to

Forgot to mention this works with Windows XP.

Collapse -

by Jacky Howe In reply to

There is an interesting article by Greg on environment settings.

Collapse -

Limit Logins -

by chrisb2003 In reply to Proof of user login dates ...

Limit Logins from has been doing a great job of that. It will tell you who is logged into what in real time. You can export this data.

Related Discussions

Related Forums