3 Replies Latest reply on Apr 25, 2016 5:29 PM by pebcakproblemsolver

    Determine when a user logs on/off for the day


      I could use some help figuring out a way to determine when a particular user has logged in for the day, and when they stopped working for the day.  The user in question uses a laptop that goes home with them every night.  I am currently running the User Logs On report to get a good estimate.  I can see their user account authenticating against AD all day for all sorts of things.  This gives me a good idea of start and stop times, but it's not perfect.  Is there a better way?  Is there a report that would tell me exactly when the users machine starts and stops communicating with the network?

        • Re: Determine when a user logs on/off for the day

          Do you have the Agent on the user's laptop?


          If you search for logons based only on data from a domain controller, than you're going to see events all day.  Windows is constantly asking the domain to confirm rights for all sorts of things (permission to run apps, connect to Exchange, map shares, access files, etc) and Windows and LEM call all those things "Logons."


          There is a special event that shows when meat touched a system, though: the Interactive Logon.


          So, if I search for my own account in nDepth for the last couple hours, I get this:

          2016-03-21 09_09_19-SolarWinds Log & Event Manager.png


          If I search for Interactive Logons, though, I get a lot fewer events.  These events don't get sent to the domain controllers, they only get logged on the destination systems, so you'd need an agent on the systems in question.

          2016-03-21 09_10_47-SolarWinds Log & Event Manager.png

          These definitively report when a user entered their password to log into a system, as opposed to all the AD authentication traffic noise.

          • Re: Determine when a user logs on/off for the day

            I am attempting to do something similar with After Hour logins
            Current setup is

            Naming my domain so Windows services accounts don't trigger and vendor service accounts named as "does not contain" so I won't get alerts for those either.
            I will probably have to adjust the correlation time a little bit but I have high hopes for this time around.
            Will keep you updated.