Showing results for 
Show  only  | Search instead for 
Did you mean: 
Engaged Sweeper

Is there a way to run a report that show how many times a user logs onto an asset over a period of time?

This would include unlocking their computer/asset.  How many time they had to log back on to a PC after their account was locked after machine inactivity.

Would like to see the Username and Asset.


Champion Sweeper III

Alternatively, if for example you only need this kind of information very sporadically, you could write your own powershell script that queries the security eventlog for ID 4800 & 4801. Store the result from this query in a custom event (using the 'eventcreate' command) and create an LS report on this specific event.

We use this approach regularly eg. to check on unofficial hotspot usage, vulnerable files, large files/folders, etc....

Champion Sweeper II

Man I totally go down rabbitt holes, sorry!  Hendricks is way better, I did that in the past, I don't know why I didn't think of that.  You can make a scheduled task to run the powershell commands, have it create a critical event so Lansweeper picks it up... make the frequency that you want, export the task as XML file... deploy it alongside the command to import it (i just use the command line command) and viola.  I would give you the command but I'm on my phone.  Ignore my other stuff as that's me going on a tangent.  I still recommend an active directory monitoring solution though.

Champion Sweeper II

Lansweeper is a as-requested or as-scheduled scanner, and it captures a point-in-time of the scan - i.e. if a user is logged on, it updates the user information as being logged on.  So, if user B logs on later after the scan, it won't capture that unless user B is still logged on during the next scheduled scan.

Lansweeper does have the ability to scan event logs though, and the user logins/logoffs and locks/unlocks of computers are stored in the security event log...  however, unfortunately you have to enable auditing on the security event log, which will increase the local event log sizes -  and, you will have to tell lansweeper to collect event log entries for type = informational - which will also increase the database size (event logs table) in Lansweeper. 

If you have a really small environment, you could probably get away with this.  If larger, you will probably slow down lansweeper and bloat the event log table considerably.  I think they warn you if you turn those on in the GUI.

For what its worth -  a reference is here:

I would recommend using an active directory auditor/monitor such as ADAudit. 

You could make a report on the asset + users and logon counts (though this not granular like I mentioned above) but it gives you a rough idea...   reference:


Engaged Sweeper

Very much appreciated!