I would like to know in the past who has logged into a particular Windows Server 2003 machine. In Linux, I would use the command “last”, and I would like similar information: username, source (IP address), start time, and either length or end time.
Most users log in using terminal services, but some use the console.
Unless you know something I don’t about the event viewer, it is not viable because it has too much junk in it. I see frequent logins from tons of users who don’t have RDP/console access to the system. I think whenever these users access the system via DCOM (or something like that), it creates an event viewer entry.
event viewer… audit logs? not posative but its a start if logging is enabled.
event log
Various ways. Your event logs can track a variety of logon/logoff events but you should be able to narrow them down based on the ID number.
IF that doesn’t work, there are several other tricks you can use:
1. From a command prompt, type:
dir “%userprofile%..ntuser.dat” /ah /s
this will list the last time for each user that their user registry settings were modified.
2. Create a login script that notes the user name and logon time to a network share accessible to all:
echo %username% – logon at %date% %time%>>\serversharelogon.log
(There are a variety of ways to do this with a logon script).