Windows 2000 - User Activity tracking

[Submit]

Hi,

I would like to tracking the time users login and logoff. This is on windows 2000 machines. Is there a utility which will allow me to do so?

 

[Fencer128]

Hi,

Not sure about 2000, but on XP you can set "auditing" of security events (i.e. logon), which can then be viewed in the "event viewer". In XP auditing is set under "local security policy" in "administrative tools".

Good luck,

Andy

 

[Submit]

Thanks for the response. I am mainly concerned about the logoff event. Is there a way to set this up?

 

[brandonm]

Yes, you can enable secruity auditing in Windows 2000. Configured in the same place as in XP (mentioned above).

 

[Fencer128]

In the "system" log, the entry "the eventlog was stopped" is usually generated at logoff. If you tally this with the "logon" event in the "security" log, then you should be able to tell when someone (local user) logs on and off.

Good luck,

Andy

 

[Submit]

Is there a different way to do this? In case a user clears the logs?

 

[Fencer128]

Sorry - not sure about that. Best advice is that if you need to track someone to that degree - and they can't be 100% trusted not to delete logs - then don't give them the privledges that allow them to do that (i.e. make them a user/limited account rather than administrative).

Good luck,

Andy

 

[mikecel79]

Originally posted by: Fencer128
In the "system" log, the entry "the eventlog was stopped" is usually generated at logoff. If you tally this with the "logon" event in the "security" log, then you should be able to tell when someone (local user) logs on and off.

Event ID 6006 (Event Log was stopped) is not generated when a user logs off. Only when the computer is shutdown or rebooted.

 

[Fencer128]

Hi - right enough - I'd misread the time between events in my log! Thanks.

Andy

 

[mikecel79]

Originally posted by: Submit
Is there a different way to do this? In case a user clears the logs?

The only way to track what you want is through the security log. Run GPedit.msc and go under Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. In there you can turn on auditing of what events you want. The only user that can clear a security log is one with Administrator rights. Normal or Power Users cannot clear any of the logs.

 

[Submit]

...I am not seeing anything that can track the logoff event....

 

[brandonm]

FYI: An event is logged when an event log is cleared. That event is placed in the new log.

 

[Submit]

mikecel79,

I followed your instructions, I can see all the logon events, but the logoff events are not getting logged....

 

[Fencer128]

Hi again,

There is not a "logoff" option like there is a "logon" option in the audit policy. I do not think it can be audited directly (which is why I first suggested using the event viewer to look for other signs of a logoff - though unfortunately I chose a bad example!)

Cheers,

Andy

 

[mikecel79]

Logon event ID is 540. Logoff Event ID is 538. This is on a domain. I don't have access to a machine that is not on a domain right now so they may be different. I'll see if I can find out.

 

[Fencer128]

Hi,

I'm not sure there's a logoff event if you're workgroup based, as there's no domain controller to log on/off to.

Cheers,

Andy

 

[Fencer128]

Hi,

Sorry - wrong again! I think this is it....

Could it be a 551 logoff and 528 logon event respectively?

Cheers,

Andy