I know you can do this from the local security policy editor, but I want a command line tool I can run from an automated script. I need this for Windows XP and above clients.
Bonus question (sort of philosophical): why is auditing of user logon/logoffs not enabled by default on Windows? It's logging a lot of other things by default which are less useful (IMO), why not this?
Best Answer
Auditpol will do this for you - e.g.
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
As to your bonus question I suspect that it is a trade off in terms of system overhead vs usefulness. Logon\logoff events are very common on Windows systems - in a typical domain with lots of stuff turned on there can be many thousands per day, I'm looking at a system right now that has a couple every second or so. These are not all interactive logons obviously but anything that needs to invoke privileges or execute in a particular security context needs to logon and logoff so there will be lots of this going on. Logging "proper" interactive user logon events only might seem to be useful as a default but having been involved in some trawling through security logs in my day my view is that it is a good idea to log these sort of things in an all or nothing sense - we found one poor user who was being fingered for something that turned out to be someone else [abusing privileges] remotely launching the offending process on the suspects system.