none
How to identify who login my server RRS feed

  • Question

  • Hi. I am an administrator of Windows server 2012 R2 Standard (64bit).

    My server is joined to domain that is administrated by Domain Controller Server administrator. There are several users in the domain, and they can login to my server. 

    I am looking for the way how I can track who logged in my server and when without asking DC admin. I guess login/logout tracking records are also recorded somewhere on event log of my server, but I am not sure how I can get those information. I would like to know user name and login / logout time.

    Any advice will be gratefully appreciated. Thank you.

    Wednesday, July 17, 2019 6:06 AM

All replies

  • Hello KELLY_IRVINE

    Just please open Event Viewer go to Windows Logs and then choose Security tab to see all of logins that is happened in your domain environment.


    Hamid Sadeghpour Saleh Microsoft MCT Regional Lead

    hamidsadeghpour.net

    Mark it as answer if your question has solved in order to keep forums updated.

    Wednesday, July 17, 2019 6:25 AM
  • Hi, Hamid. Thank you for the response.

    Can I ask few more question on logon record of security event log?

    (1)

    There are a lot of logs on security event log on my server, so I tried to filtered by 'Logon' on Task Category, but when I open the filter current log window, the task category is greyed out as below. I can't type there. I don't know why.. Is there any better way to filter showed up only logon event?

    (2)

    Is there any way to filter by domain account name? As test, I typed my domain account name in the column User in the Filter Current Log windows, but nothing showed up...

    Thursday, July 18, 2019 12:58 AM
  • Hello Kelly,

    1) The "Task category" is only available once you've already selected one "Event source".

    Note: You can only have one "Event source" selected, or the "Task category" gets disabled again.


    2)
    You can filter by account name, you can see here for more information:
    https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, July 18, 2019 2:37 AM
  • Hi,

     

    Open Filter Security Event Log and to track user logon session, set filter Security Event Log for the following Event ID’s:

     

    • Logon – 4624 (An account was successfully logged on)

    • Logoff – 4647 (User initiated logoff)

    • Startup – 6005 (The Event log service was started)

    • RDP Session Reconnect – 4778 (A session was reconnected to a Window Station)

    • RDP Session Disconnect – 4779 (A session was disconnected from a Window Station)

    • Locked – 4800 (The workstation was locked)

    • Unlocked – 4801 (The workstation was unlocked)

     

    For your reference:https://community.spiceworks.com/how_to/130398-how-to-track-user-logon-sessions-using-event-log

    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

     

    Best Regards,

    Farena


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 3:06 AM
  • Hi, Leon. Thank you for providing those great information. I really appreciate it!

    (1) is works! Thank you!

    Can I ask a little more help on (2)?

    If I would like to edit query manually on the XML tab of Create Custom View, and if I need to filter event which event ID is 4624 and also including domain username ABCDE in General tab of the event log, what is the right way to set the query? The below query is my query that is failed to execute. I think the username part is wrong somehow. 

    <Query List>

         <Query ID="0" Path="Security">

              <Select Path ="Security">

                 *[

                      System[

                          (EventID=4624) AND (General=*ABCDE*)

                      ]

                 ]

              </Select>

         </Query>

    </Query List> 

    Thursday, July 18, 2019 4:39 AM
  • Right-click the Security event log > Create Custom View.

    Then enter the event ID there and a valid username:

    If you now go to the XML tab, you should see something like this:


    The Username has been translated to it's SID (Security Identifier), as you can see in the above picture.

    You shouldn't need to modify any XML, it should be enough to just insert the appropriate data in the Filter tab, that is: the Event ID and User.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, July 18, 2019 11:44 AM
  • Hi,

     

    Was your issue solved?

     

    If the reply helped you, please remember to mark it as an answer.

     

    If no, please reply and tell us the current situation in order to provide further help.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 8:14 AM