11-30-2022 08:08 PM - last edited on 04-01-2024 12:28 PM by Mercedes_O
Is there a way to run a report that show how many times a user logs onto an asset over a period of time?
This would include unlocking their computer/asset. How many time they had to log back on to a PC after their account was locked after machine inactivity.
Would like to see the Username and Asset.
12-01-2022 09:40 AM
Alternatively, if for example you only need this kind of information very sporadically, you could write your own powershell script that queries the security eventlog for ID 4800 & 4801. Store the result from this query in a custom event (using the 'eventcreate' command) and create an LS report on this specific event.
We use this approach regularly eg. to check on unofficial hotspot usage, vulnerable files, large files/folders, etc....
12-01-2022 01:21 PM
Man I totally go down rabbitt holes, sorry! Hendricks is way better, I did that in the past, I don't know why I didn't think of that. You can make a scheduled task to run the powershell commands, have it create a critical event so Lansweeper picks it up... make the frequency that you want, export the task as XML file... deploy it alongside the command to import it (i just use the command line command) and viola. I would give you the command but I'm on my phone. Ignore my other stuff as that's me going on a tangent. I still recommend an active directory monitoring solution though.
11-30-2022 11:46 PM
Lansweeper is a as-requested or as-scheduled scanner, and it captures a point-in-time of the scan - i.e. if a user is logged on, it updates the user information as being logged on. So, if user B logs on later after the scan, it won't capture that unless user B is still logged on during the next scheduled scan.
Lansweeper does have the ability to scan event logs though, and the user logins/logoffs and locks/unlocks of computers are stored in the security event log... however, unfortunately you have to enable auditing on the security event log, which will increase the local event log sizes - and, you will have to tell lansweeper to collect event log entries for type = informational - which will also increase the database size (event logs table) in Lansweeper.
If you have a really small environment, you could probably get away with this. If larger, you will probably slow down lansweeper and bloat the event log table considerably. I think they warn you if you turn those on in the GUI.
For what its worth - a reference is here: https://stackoverflow.com/questions/11385164/eventviewer-eventid-for-lock-and-unlock
I would recommend using an active directory auditor/monitor such as ADAudit.
You could make a report on the asset + users and logon counts (though this not granular like I mentioned above) but it gives you a rough idea... reference: https://community.lansweeper.com/t5/forum/report-on-user-logins-multiple-assets/m-p/30329
-Rom
11-30-2022 11:55 PM
Very much appreciated!
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now