SCCM reporting - logging the login and logoff events on every device.

Hi,
I am currently looking at recording the login and logoff events on all 10k devices we support.
We are running System Center 2012 R2 on Windows Server 2012 within a hierarchy with two primaries.
Any help would be greatly received.
Thanks,
Katie 

There is an easy way to do this via Group Policy
http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
You'd have to do regular housekeeping though as the files could get big.
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson

Similar Messages

  • Need to collect the Windows logon and logoff events across the Domain in a DC eviornment, for different machines and user accounts.

    Hello All,
    I am trying to build a Tool to collect the info about all the user's who login and logoff on daily basis in a domain network. I am using a windows 2008 server as a DC and have xp, win 7, win 8 , win 12 server as clients in the network.
    There are few questions in my mind which I am not able to answer.
    1> When a user tries to login to the DC network, he/ she gets authenticated using the kerberos protocol. does these authentication gets logged on the AD server by default? I have see a way to enable it from registry but even that's not giving me the expected
    output in the eventvwr.
    2> Do I have to use Audit policies to monitor all the user's log off and log on activities?
    3> Is there a way to collect these information from any place on the AD server other than the Eventvwr?
    Please help me in finding the solutions to these query's  of mine.
    Thanks.

    1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start → Administrative Tools → Group Policy Management.
    2. In the left pane, navigate to Forest: <domain_name>→ Domains → <domain_name>→ Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up
    menu. </domain_name></domain_name>
    <domain_name><domain_name>3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies → Windows Settings → Security Settings → Local Policies → Audit Policy. </domain_name></domain_name>
    <domain_name><domain_name>4. Set the Audit account management and the Audit directory service access policy to "Success". Set the Audit logon events policy to  "Success" and "Failure". </domain_name></domain_name>
    5. Navigate to Start → Run and type '"cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.
    Number of events could be excessive so you need to adjust size of Security log ( 1gb for example ) 
    Usage of EventCombMT Tool (part of
    MS ALtools )
     This tool gathers specific events from several different servers to one central location.
     Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search
     Click the Searches menu > replace Event ID field values with
    4624  LOGON / 4634  LOGOFF
     Click Search and wait for the process to complete the operation.
     After the search is done the output directory contains the log files for the domain controllers where events with the specified Event ID’s were found.
    Alternatively you can try Netwrix Auditor for Active Directory solution with 20 days of free trial to generate such reports.
    --- Jeff (Netwrix)

  • HT1144 When I log into the app store it has the previous owners id at the login and doesn't let me change it to mine.  how do I cane this?

    I need help - can't seem to log in to the App Store to update my iphoto because the previous owners id is in the login and it's grayed out so it doesn't let me log in.

    Go to the App Store and sign out.  Then sign back in with your Apple ID:
    Happy Holidays

  • [LOG] The data portion of event 18265 from MSSQL$SQLSERVER is invalid

    Hi All,
    I have an instance (SQL SERVER 2008 R2) with 30 databases, all are in full recovery mode.
    While doing the TLOG backup I found following error in the MSSQL AGENT ERROR LOG.
    [LOG] The data portion of event 18265 from MSSQL$SQLSERVER is invalid
    While finding the reason I found that only two small databases are causing this error recording in MSSQL AGENT ERROR LOG. I executed a manul Tlog backup for the identifed databases using TSQL and it shows successful backup (please see below output) but
    agent error log was dumped with the new entries showing the same error (even agent was not used to execute the job).
    Processed 0 pages for database 'XYZ-ae94-41c157aa36a1', file 'XYZ-ae94-41c157aa36a1_log' on file 1.
    BACKUP LOG successfully processed 0 pages in 0.227 seconds (0.000 MB/sec).
    Processed 10 pages for database 'ABC-ccb8c6d4ef00', file 'ABC-ccb8c6d4ef00_log' on file 1.
    BACKUP LOG successfully processed 10 pages in 0.102 seconds (0.727 MB/sec).
    Please assist with your experience for such scanario.
    Best Regards
    khalil

    [LOG] The data portion of event 18265 from MSSQL$SQLSERVER is invalid
    18265 = Log was backed up. Database: %s, creation date(time): %s(%s), first LSN: %s, last LSN: %s, number of dump devices: %d, device information: (%s). This is an informational message only. No user action is required.
    Those lengths are a bit excessive, but certainly within the permitted realms. Are there any other database names that are these long? Are there any special characters in the names?
    Erland's guess is correct. Mostly its due to
    https://support.microsoft.com/kb/2723474
    Balmukund Lakhani
    Please mark solved if I've answered your question, vote for it as helpful to help other users find a solution quicker
    This posting is provided "AS IS" with no warranties, and confers no rights.
    My Blog |
    Team Blog | @Twitter
    | Facebook
    Author: SQL Server 2012 AlwaysOn -
    Paperback, Kindle

  • I've lost the contacts and calendar events from my 3GS after setting up iCloud with iPad3 and PC Outlook.  Any solutions?

    I've lost the contacts and calendar events (& email) from my 3GS after setting up iCloud with iPad3 and PC Outlook.  Any solutions?
    I tried to re-synch it with the PC iTunes, but no luck, even when re-checking the boxes for Outlook...

    I should mention that i have NOT upgraded to iOS 5 on the 3GS and don't want to.  Therefore, no iCloud on the phone.

  • How can i catch the gotfocus and lostfocus events

    Hi Dear;
    i tried to catch the gotfocus and lostfocus events, but i can't.
    in the same code i can catch the onclick events.
    is there any special code for the gotfocus and lostfocus events?
    regards;

    Danny;
    Whenever I have an issue such as this I fire up the event logger and it will show you exactly which events you can put your hooks into.   If you are not using it you should really check it out.  Will save you tons of time.
    https://www.sdn.sap.com/irj/sdn/businessone-tools
    I know it's not the exact answer you were looking for but I hope it helps.
    Wayne

  • Report on the dates and the times that software updates went out to partucular machines

    Hello all,
    I need to know if there is a way to report on the dates and times that certain software updates installed on certain machines. I see a report that could be it but it does not show any results. The report that I am talking about is under Software update - Distribution status. When I try to run any of those reports I get no matching records could be found so I guess I have 2 questions.

    Yes, I know this is an old post, I’m just trying to clean them up.
    There is no report that will show you when a SU was installed on a PC. At best you can use the last change date but they is no reliable for several reasons. As for your second question, I’m not sure what report or category you are looking
    at. You will need to provide more details.
    http://www.enhansoft.com/

  • Hi my trackpad is frozen and I also could not get force quit to work, I closed the top down and now I cannot get past the login and the cursor will not move, does anyone have any ideas

    Hi my trackpad is frozen and I also could not get force quit to work, I closed the top down and now I cannot get past the login and the cursor will not move, does anyone have any ideas

    Try these two steps:
    Intel-based Macs: Resetting the System Management Controller (SMC)
    Resetting your Mac's PRAM and NVRAM

  • Regarding the focusGained and iteratorBindingChange events

    Dear Jdev/JClient team,
    I'm trying to build up a self-style API based upon the
    JClient classes to emulate more or less the mechanisms
    of the Developer tool. My first efforts were to match
    next concepts:
    JUApplication <---> Application (Frame)
    JPanelBinding <---> Form
    JUIteratorBinding <---> Block
    Moreover, I'm using my own toolbar that I want it to
    act at application level. This toolbar uses the
    JUActionBinding dynamically because it's able to target
    the current panel binding "in focus". I'm also intercepting
    the focusGained events to perform the typical navigation
    triggers in Developer: WHEN-NEW-ITEM-INSTANCE,
    WHEN-NEW-RECORD-INSTANCE, WHEN-NEW-BLOCK-INSTANCE and
    WHEN-NEW-FORM-INSTANCE.
    In this context, I have some major concerns:
    1) I've reading about the next 9.0.3 version, and I'm very
    interested, and quite worried, about possible changes
    in the way the focusGained and iteratorBindingChange
    events will be delivered. I mean, these events will be
    delivered in the same situations in the next version??
    Knowledge about this is vital due to the fact that my
    API relies in the JClient current behavior.
    2) Regarding the structure of bindings, I've read and
    I've seen that the JPanelBinding really don't act
    at "Form" level. That is, you can associate all your
    panels to only one JPanelBinding. However, I prefer
    to use one JPanelBinding for each "Form". In this
    context, I have the next particular problem. I have
    two or more JUPanelBinding and I have a class that
    implements the JUNavigationBarInterface to track
    the current JUIteratorBinding by registering itself to
    all these JUPanelBinding, and one of these JUPanelBinding
    has only one JUIteratorBinding. In this case, when
    I navigate to this last JUPanelBinding from another one
    I don't receive the iteratorBindingChange event.
    Browsing the source code this is "normal" because a
    JUPanelBinding with only one JUIteratorBinding is
    expected to delivered this event once. However, this
    mechanism seems very restrictive (or maybe a bug). The
    problem seems to be that the standard toolbar are
    expected to receive these events and track the iterator
    binding, and this standard toolbar only acts at
    JUIteratorBinding or JUPanelBinding level. Nevertheless,
    I want a toolbar that can share all the panel bindings!!
    Is this something you plan to change in 9.0.3? is this
    a bug? a non-supported functionality? What can I do?
    I'm thinking in ignoring the iteratorBindingChange
    events and generating them by myself upon receiving
    the focusGained events which act at JUApplication level.
    Is this a good idea? Will this be compatible with 9.0.3?
    The next piece of code is part of the current implementation
    of the JUPanelBinding. You can see that the mNavBarInit
    variable make the class to only deliver the iteratorBindingChange
    event once if we have only one JUIteratorBinding. This is
    issue I'm referring to.
    public void focusGained(...)
    if (mNavigationBarList != null)
    JUIteratorBinding currentIter = null;
    ArrayList al = getIterBindingList();
    if (al.size() > 1)
    //this could be optimized by keeping track of current iterator.
    currentIter = iterBinding;
    else if (!mNavBarInit)
    mNavBarInit = true;
    currentIter = (JUIteratorBinding)al.get(0);
    if (currentIter != null)
    al = mNavigationBarList;
    for (int i = 0; i < al.size(); i++)
    ((JUNavigationBarInterface)al.get(i)).iteratorBindingChanged(currentIter);
    I would appreciate any comments, advice or information you
    can address to me.
    Thanks in advance.
    Jaume Espriu
    Software engineer
    [email protected]
    SAME S.I. S.A.

    1) I've reading about the next 9.0.3 version, and I'm very
    interested, and quite worried, about possible changes
    in the way the focusGained and iteratorBindingChange
    events will be delivered. I mean, these events will be
    delivered in the same situations in the next version??
    Knowledge about this is vital due to the fact that my
    API relies in the JClient current behavior. I'm not sure where you get the "impression" that raising of focusGained and iteratorBindingChanged events will be changed?
    - focusGained is generated by Swing and should stay the same. JClient does not raise/block raising of this event.
    - iteratorBindingChanged event is generated by JClient when the RowSetIterator for an iteratorBinding is changed
    No bugs were fixed/resolved for this area of the code.
    2) Regarding the structure of bindings, I've read and
    I've seen that the JPanelBinding really don't act
    at "Form" level. That is, you can associate all your
    panels to only one JPanelBinding. However, I prefer
    to use one JPanelBinding for each "Form". In this
    context, I have the next particular problem. I have
    two or more JUPanelBinding and I have a class that
    implements the JUNavigationBarInterface to track
    the current JUIteratorBinding by registering itself to
    all these JUPanelBinding, and one of these JUPanelBinding
    has only one JUIteratorBinding. In this case, when
    I navigate to this last JUPanelBinding from another one
    I don't receive the iteratorBindingChange event.
    Browsing the source code this is "normal" because a
    JUPanelBinding with only one JUIteratorBinding is
    expected to delivered this event once. However, this
    mechanism seems very restrictive (or maybe a bug). The
    problem seems to be that the standard toolbar are
    expected to receive these events and track the iterator
    binding, and this standard toolbar only acts at
    JUIteratorBinding or JUPanelBinding level. Nevertheless,
    I want a toolbar that can share all the panel bindings!!
    Is this something you plan to change in 9.0.3?No.
    is this
    a bug? a non-supported functionality? What can I do?You may want to implement some kind of focus changed mechanism where you "common" toolbar is notified of the current panel in focus so that it can then update it's iterator binding to current panel's iterator binding.
    Default raising of the event iteratorBindingChanged(), is only within the context of one JUPanelBinding instance.
    I'm thinking in ignoring the iteratorBindingChange
    events and generating them by myself upon receiving
    the focusGained events which act at JUApplication level.
    Is this a good idea? Will this be compatible with 9.0.3?I believe so.
    The next piece of code is part of the current implementation
    of the JUPanelBinding. You can see that the mNavBarInit
    variable make the class to only deliver the iteratorBindingChange
    event once if we have only one JUIteratorBinding. This is
    issue I'm referring to.
    public void focusGained(...)
    if (mNavigationBarList != null)
    JUIteratorBinding currentIter = null;
    ArrayList al = getIterBindingList();
    if (al.size() > 1)
    //this could be optimized by keeping track of current iterator.
    currentIter = iterBinding;
    else if (!mNavBarInit)
    mNavBarInit = true;
    currentIter = (JUIteratorBinding)al.get(0);
    if (currentIter != null)
    al = mNavigationBarList;
    for (int i = 0; i < al.size(); i++)
    ((JUNavigationBarInterface)al.get(i)).iteratorBindingChanged(currentIter);
    I would appreciate any comments, advice or information you
    can address to me.
    Thanks in advance.
    Jaume Espriu
    Software engineer
    [email protected]
    SAME S.I. S.A.

  • Windows reports that the "USB-IF xHCI USB Host Controller" device is not working properly.

    I have been receiving the following error and instructions to fix it for a long time now, prior to updating to Windows 8.1:
    A device is not working properly
    Windows reports that the "USB-IF xHCI USB Host Controller" device is not working properly.
     Recommended solution to the problemUse Windows Update to check whether new device drivers are available. Proceed as follows:
    Open Device Manager
    Search in the device manager for the device whose driver you would like to update and double-click on the device name. You may first have to enable the "Show hidden devices" entry in the "View" menu.
    Switch to the Driver tab, click Update driver and follow the instructions
    When I follow the instructions and try to update the driver, I am told "The best driver software for your device is already installed."
    How do I update the driver to stop receiving the error?  
    This question was solved.
    View Solution.

    I have solved the initial problem.    
    I found the solution on the Forum at http://h10025.www1.hp.com/ewfrf/wc/document?docname=c03926756&tmp_task=solveCategory&cc=us&dlc=en&la...

  • Where could we find the CT and PT values  for Particular Device ???

    I 'm facing a scenario in  a report  i need to place a  field device number and assosiated  CT's and PT's .
    where could we find the CT and PT values  for Particular Device ??? basically im MM consultant   we don't ahave  DM consultant  please help with this issue???
    means actually i got the table and field  details  for transformation ratio (or) CT/PT ratio
                          ETYP_UEBERVER. from the screen EG03 , t-code
                            but im not sure   this  is the exact field that i require  ....
    can any one help ....   i will be very  thankfull to your  solution  inadvance....

    The transformation ratio are the attributes of a "Winding Group".  Find winding group of a device and then you'll get the desired information.

  • I am trying to restore an older iPod Touch, but do not have the passcode.  I am getting an error message saying that I need to free up some space, but I cannot because I don't have the passcode and have never synced this device to my account.  Help..

    I am trying to restore an older iPod Touch, but do not have the passcode.  I am getting an error message saying that I need to free up some space, but I cannot because I don't have the passcode and have never synced this device to my account.  Help..

    If it is asking for the screen-lock passcode then:
    Place the iOS device in Recovery Mode and then connect to your computer and restore via iTunes. The iPod will be erased.
    iOS: Wrong passcode results in red disabled screen                         
    If recovery mode does not work try DFU mode.                        
    How to put iPod touch / iPhone into DFU mode « Karthik's scribblings        
    For how to restore:
    iTunes: Restoring iOS software
    To restore from backup see:
    iOS: Back up and restore your iOS device with iCloud or iTunes
    If you restore from iCloud backup the apps will be automatically downloaded. If you restore from iTunes backup the apps and music have to be in the iTunes library since synced media like apps and music are not included in the backup of the iOS device that iTunes makes.
    You can redownload most iTunes purchases by:
    Downloading past purchases from the App Store, iBookstore, and iTunes Store        
    If problem what happens or does not happen and when in the instructions? When you successfully get the iPod in recovery mode and connect to computer iTunes should say it found an iPod in recovery mode.
    Otherwise follow varjak paw recommendation

  • A Volume-lik​e icon appeared on the desktop and it stays on every applicatio​n I open.

    I have a month old HP Pavillion 23 with Windows 8.1.  About 2 weeks ago an icon that looks like a volume guage appeared on the upper left side of the screen on the desktop and it stays on every application I open.  If I clck on it, the purple guage goes from the bottom to the top and the numbers on the bottom go up to 100.  What-ever it is, it's also preventing me from opening/clicking on the Start icon or tabbing between open apps.  How do I get rid of this? 

    Hello @Sheshe73,
    I understand that about 2 weeks ago the volume gauge appeared on your computer and is it causing you grief. I recommend that you follow the steps in the HP Support document: Using Microsoft System Restore (Windows 8), which is also good for Windows 8.1 and restore your computer back to just before the volume control appeared. This will in effect remove the control and allow you to continue to use your computer without it's interference.
    I hope I have answered your question to your satisfaction. Thank you for posting on the HP Forums. Have a wonderful day!
    Please click the "Thumbs Up" on the bottom right of this post to say thank you if you appreciate the support I provide!
    Also be sure to mark my post as “Accept as Solution" if you feel my post solved your issue, it will help others who face the same challenge find the same solution.
    Dunidar
    I work on behalf of HP
    Find out a bit more about me by checking out my profile!
    "Customers don’t expect you to be perfect. They do expect you to fix things when they go wrong." ~ Donald Porter

  • How can I store movies in the cloud and access them from my devices?

    Hello,
    I would like to store movies in the cloud and access them from my device without having to download them to the device because there is not enough space on the harddrive to store them on it. How would I do this? Would I have to download the movies to my PC or could I store them directly in the cloud?
    Thanks,
    Tyler

    Unfortunately I don't use sugarsync myself, I have a dropbox account and it works slightly differently.
    As I understand it you can upload files to a folder in sugarsync from your computer without having them sync to any of your devices. You can access that folder from any of your devices, and although you would need to download them in order to play the video file, you could then delete them without deleting the files in the sugarsync folder in the cloud.

  • How can I store movies in the cloud and access them on my devices without having to download them to them?

    Hello,
    I would like to store movies in the cloud and access them from my device without having to download them to the device because there is not enough space on the harddrive to store them on it. How would I do this? Would I have to download the movies to my PC or could I store them directly in the cloud?
    Thanks,
    Tyler

    Would I have to download the movies to my PC or could I store them directly in the cloud?
    There is good news coming!
    Technology experts are working on a movie storage system where YOU have physical possession of the movie.
    This system stores the movie digitally on an optical disk system that will not be dependent upon a congested, complicated, and fragile network.
    Because all of the data is stored only a few feet from your television, all the bottlenecks are removed.  Performance and reliability are virtually flawless.
    Further, the system will not utilize any form of security codes, authentications, or passwords. Once the optical disc is purchased it can be moved around freely at will, and can even be lent or given to friends and neighbors with zero hassles.

Maybe you are looking for