[rwilliams3]

I have been asked by management to provide a report displaying when users logon in the morning and logoff when they are leaving.

I've looked in the Event Viewer/Security Log and identified event ID 540 as Logon & 538 as Logoff, but there are multiple instances for each?

For example, I see event ID 540 for user:Wilber$ logging in at 7:49 am, 8:14, 8:28, 8:44, etc...

Same for event ID 538.

How can I best filter these extra entries out and create a useful report?

Thanks,

Russell
:x

[DosFreak]

Extra entries? These are the times that the user logged on/logged off. I'm assuming that the user locked/unlocked their workstation and logged back on again. The times sound about right. For proper auditing you NEED these times logged.

[Mr.Guvernment]

could very well be he has logged in and out, multiple times,

or do u simply want to know when he was in the first time, and logged out the last time?

you can sort it by time / date i beleive.

Management woud likey want ALL times - they are probably seeing how often users are away from the stations when they should not be.

[rwilliams3]

They only need the first logon time in the morning and the last logoff time in the afternoon. Kinda like a punch-clock time keeper.

Some of the logon/logoff events happen every 2 or 3 minutes. Don't think someone would be locking/unlocking their workstation that frequently?

In Domain Security Policy/Local Policies/Audit Policy I have two items logging Success/Failures. They are:
1. Audit account logon events
2. Audt logon events

What's the difference?

RW

[DS3Circuit]

1. Audit account logon events is when a domain controller receives a request to validate a user account. See article http://support.microsoft.com/support/kb/articles/q174/0/73.asp

2. Audit logon events is when a user logs on or off, or makes or cancels a network connection.

Auditing is a great way to detect random password hacks and or stolen user credentials with those 2 audits.