-=PCTechTalk=- Re: who has logged in to my machine

This is EXCELENT - Thank you


________________________________

Ok, Bob.  There are two basic ways you can handle this curiosity.  The 
method I would choose would depend on the number of users set up on the 
system, the number of people with physical access to the system and how much 
work I felt like doing at that particular time.  I'm sure that's a big help, 
huh?      lol
If you just suspect that someone might be logging on when they're not 
supposed to and we're talking about a home system (maybe one of the kids is 
getting up in the middle of the night to chat with friends?), you can just 
open up Explorer and look at the date/time for each user's NTUSER.DAT.log 
file.  This doesn't tell you when they log onto the system, but it'll tell 
you precisely when they last logged off.  This should be enough info to let 
you know if you have someone using the system when they're not supposed to 
be on it.
However, if we're talking about a business setting and you suspect the 
janitor is getting inside your network, you'll want much more info about the 
time of logon, length of session and time of logoff.  For this, you'll need 
to set up a rule to start logging access to the system in question.  If 
we're talking about multiple systems that could be compromised this way, 
you'll want to set this up on every machine to which the person may have 
access.  Note that the normal users of these systems should only have a 
Limited user account.  If they are also set up with Admin privs, whomever is 
using the system during these times will easily be able to turn off the 
logging of their activities.  Far too often, workers write down their 
passwords on slips of paper or sticky notes and keep them close to the 
system.  Of course, that makes these systems easy targets for curious eyes, 
even if nothing malicious is involved.
So, while logged in under an Admin username, go to Start > Programs > 
Administrative tools > Local security policy > Local policies > Audit policy 
to get to the controls.  Enable both success and failure logon events and 
account logon events.  You can then close out of the window.  From that 
moment on, you'll be able to monitor these events from within the Security 
tab inside the Event Viewer.  To open the Event Viewer, just go to Start > 
Run, type in eventvwr.msc and press Enter.
Oh, I should have mentioned sooner that the above applies on for standalone 
systems or those that are a part of a peer to peer network (most home 
networks are peer to peer).  If this is part of a Domain network (one 
central server for numerous workstations), enable this type of auditing at 
the server instead of at each workstation.
Peace,
Gman
http://www.bornagainamerican.org

"The only dumb questions are the ones we fail to ask"

----- Original Message ----- 
From: "Robert Andrew Dulaney Jr." <rdulaneyjr@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, February 24, 2009 6:09 PM
Subject: -=PCTechTalk=- Re: who has logged in to my machine


> Thanks for the quick response . . . Silly me The OS would be XP
> yes it would be someone logging in at the machine itself and yes I have 
> admin access.
> I am hoping I can also discover the time of the log in as well.
> Thanks in advance
>
> Bob 

From: Gman <gman.pctt@xxxxxxxxx>
To: pctechtalk@xxxxxxxxxxxxx
Sent: Tuesday, February 24, 2009 4:55:40 PM
Subject: -=PCTechTalk=- Re: who has logged in to my machine


      
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything 
below it) and adjust the subject line as necessary.

To subscribe, unsubscribe or modify your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx

To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------

Other related posts: