Austlink Help Centre

Follow

Windows Event Logs - Filter for User Logon and Logoff

Open Computer Management on the machine where users logon

(Open Server Manager and then select Tool - Computer Management)

- System Tools

- Event Viewer

- Windows Logs

- Select the Security Log

 

From the Actions menu on the right select "Filter Current Log"

- Select the XML Tab and tick the "Edit query manually"

 

The script below will list all list all local and remote (i.e. via RDP) logins made by the administrator in the "DOMAIN" domain for the last 30 days

To use just replace "DOMAIN" with your domain and replace "administrator" with the username of the person you want to check.

 

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4624 or EventID=4634)
and
TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]
and
EventData[Data[@Name='TargetDomainName'] and (Data='DOMAIN')]
and
EventData[Data[@Name='LogonType'] and (Data='10' or Data='2')]
and
EventData[Data[@Name='TargetUserName'] and (Data='administrator')]]
</Select>
</Query>
</QueryList>

 

 

NOTES:

EventID 4624 = Logon

EventID 4634 = Logoff

LogonType 2 = Local Login

LogonType 10 = Remote Login e.g. RDP

2592000000 is the number of milliseconds in 30 days

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

This entire document, including design, text, videos,graphics, and photographs are Copyright © 2014 Austlink Plus Pty Ltd, All Rights Reserved.
No part of this document may be reproduced in any way or by any means for commercial or any other purposes, without prior written permission of Austlink Plus Pty Ltd. Use of any data for the purpose of creating promotional materials or producing a printed or electronic catalog of any kind is expressly forbidden without prior written permission of Austlink Plus Pty Ltd.

Powered by Zendesk