Because this is after the fact and you are tyring to do a forensic investigation post mortum... its a little to late to turn on the proper event logging to track user logins through EventLog (which you should have on anyways. Never did understand why the default wasn't ON by default)
At this point, if you have the Resource kit, you can use the "usrstat.exe" tool to get such information. If you just want to get the last time a user logged on, in the cmd line try: net user <username> | find "Last logon" or if you want to do it through the domain controller: net user <username> /DOMAIN | find "Last logon" Example: Cmd: net user dana | find "Last logon" Result: Last logon 7/22/2003 5:15 PM This method doesn't do a full logon history like the unix "last" command.. but it can help a bit finding out when people last logged on. Hope thats somewhat helpful. --- Regards, Dana M. Epp ----- Original Message ----- From: "Jose Guevarra" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 22, 2003 11:02 AM Subject: finding who has logged in on Win2k Pro > Hi, > > We have possibly had some type of incident at our work place. I'd like to > know if it is possible to check and see the "User Login" history on a Win2K > pro machine. Is this history log enabled by default? What are some other > ways? > > thanx, > > -Jose G.- > > > -------------------------------------------------------------------------- - > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
