On Server 2008 R2, is there a convenient way to emulate the Unix 'last' utility (or at least show who's been logging on)? The Security event log seems to contain events for this, but they're buried within a ton of others; every 10 seconds I'm seeing an Audit Success for something irrelevant. I tried to filter by Task Category (login and logoff), but this option is always greyed out and doesn't let me enter anything, no matter what else I tweak. All I'd really like is the list of users and when they logged on. Thanks for any suggestions.:-( + :-) = :-) :-)

I am not familiar with Unix but you can enable auditing and it will showing your success and failure logon/logoff data. You can forward/collect event log using the following method: http://technet.microsoft.com/en-us/library/cc748890.aspx http://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx or you can use Event Comb tool http://support.microsoft.com/kb/308471 http://support.microsoft.com/kb/824209 Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX Blogs - http://blogs.sivarajan.com/ This posting is provided AS IS with no warranties,and confers no rights.

Thank you. I have not made any changes to default auditing, but the logon/logoff events are showing up in the Security event log. Exporting the event log as a text file and grepping for the information I need is so far the quickest method. As for more auditing, is this done via secpol.msc? There are a couple of promising settings, but it's not clear what they accomplish or what the difference between them is: Local Policies/Audit Policy (Audit account logon events) Advanced Audit Policy Configuration/System Audit Policies - Local Group Policy Object (Logon/Logoff) :-( + :-) = :-) :-)

Hi, The nine basic audit policies under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy allow you to configure security audit policy settings for broad sets of behaviors, some of which generate many more audit events than others. An administrator has to review all events that are generated, whether they are of interest or not. In Windows Server 2008 R2 and Windows 7, administrators can audit more specific aspects of client behavior on the computer or network, thus making it easier to identify the behaviors that are of greatest interest. For example, in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy, there is only one policy setting for logon events, Audit logon events. In Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies, you can instead choose from eight different policy settings in the Logon/Logoff category. This provides you with more detailed control of what aspects of logon and logoff you can track. For details: Advanced Security Audit Policy Step-by-Step Guide Hope this helps!Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.