Have you ever wanted to monitor who’s logging into your computer and when? On Professional editions of Windows, you can enable logon auditing to have Windows track which user accounts log in and when.
The Audit logon events setting tracks both local logins and network logins. Each logon event specifies the user account that logged on and the time the login took place. You can also see when users logged off.
Note: Logon auditing only works on the Professional edition of Windows, so you can’t use this if you have a Home edition. This should work on Windows 7, 8, and Windows 10. We’re going to cover Windows 10 in this article. The screens might look a little different in other versions, but the process is pretty much the same.
Enable Logon Auditing
To enable logon auditing, you’re going to use the Local Group Policy Editor. It’s a pretty powerful tool, so if you’ve never used it before, it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway.
To open the Local Group Policy Editor, hit Start, type “gpedit.msc,“ and then select the resulting entry.
In the Local Group Policy Editor, in the left-hand pane, drill down to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. In the right-hand pane, double-click the “Audit logon events” setting.
In the properties window that opens, enable the “Success” option to have Windows log successful logon attempts. Enable the “Failure” option if you also want Windows to log failed logon attempts. Click the “OK” button when you’re done.
You can now close the Local Group Policy Editor window.
View Logon Events
After you enable logon auditing, Windows records those logon events—along with a username and timestamp—to the Security log. You can view these events using Event Viewer.
Hit Start, type “event,” and then click the “Event Viewer” result.
In the “Event Viewer” window, in the left-hand pane, navigate to the Windows Logs > Security.
In the middle pane, you’ll likely see a number of “Audit Success” events. Windows logs separate details for things like when an account someone signs on with is successfully granted its privileges. You’re looking for events with the event ID 4624—these represent successful login events. You can see details about a selected event in the bottom part of that middle-pane, but you can also double-click an event see its details in their own window.
And if you scroll down just a bit on the details, you can see information you’re after—like the user account name.
And because this is just another event in the Windows event log with a specific event ID, you can also use the Task Scheduler to take action when a logon occurs. You can even have Windows email you when someone logs on.
No comments:
Post a Comment