Windows Server 2012 R2: how to monitor logons

windows-server-2012-r2

How do I check the users that have logged in on the server in the last couple of weeks? I suppose Event Viewer, but where exactly?

Best Answer

It's all in the Security event log. Interactive logons, network logons, local logons, logons over RDP... whether your Security event log can store weeks worth of events depends on how busy your server is and how large your event log is configured to be.

http://blogs.msdn.com/b/ericfitz/archive/2008/08/20/tracking-user-logon-activity-using-logon-events.aspx

The three-digit event IDs are for old versions of Windows. The corresponding 4 digit event IDs are for newer (Vista+) versions of Windows.

512 / 4608  STARTUP
513 / 4609  SHUTDOWN
528 / 4624  LOGON
538 / 4634  LOGOFF
551 / 4647  BEGIN_LOGOFF
N/A / 4778  SESSION_RECONNECTED
N/A / 4779  SESSION_DISCONNECTED
N/A / 4800  WORKSTATION_LOCKED 
* / 4801    WORKSTATION_UNLOCKED
N/A / 4802  SCREENSAVER_INVOKED
N/A / 4803  SCREENSAVER_DISMISSED

You may also be interested in configuring Advanced Audit Policies:

https://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx

They allow you to capture even more events with more granular detail than you do by default. But it is not necessary just to capture basic "a user just logged on" type events. But be careful about logging too much... excessive logging fills up your event log with clutter.

An event ID 4624 for example:

Best Answer

Related Solutions

Why did the Windows Server 2012 R2 timezone change overnight

Windows Server – Restart/Shutdown History

Related Topic