Hello.
I'm searching for a way to check how long a workstation has been 'Locked' via the standard Ctrl-Alt-Del windows locking mechanism. Poking around the forums here, I located this information:
(Msg. 5) Posted: Thu Jun 24, 2004 3:49 pm
Post subject: Re: "Lock Computer" Log [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
First auditing of logon events has to be enabled on the computer via Local Security Policy or possibly domain level if in a domain. Then you can search the security log in Event Viewer for Event ID's 528 [logon] and 538 [logoff] but only for logon type 7 which indictes the the computer was locked/unlocked. --- Steve
While this seems to be just the ticket, there is a problem. No event seems to be logged into the security log when the computer is initially locked; instead the 528:7 and 538:7 events are logged simultaneously when the computer is unlocked. Obviously, this does me no good, as I'm attempting to access a computer that is currently locked, and determine when it entered that state.
Is this simultaneous logging an error in our settings somewhere or is it an unfortunate part of windows? If the latter, is there any other way to check the duration of a lock?
I'm an administrator for a university with a busy computer lab. Our students have recently fallen into the habit of checking out a computer before class, locking it while they are away at class for 3 or 4 hours, then returning to have a workstation waiting for them instead of having to wait. A method to determine who is legitimately away for a few minutes to grab a snack from those who are denying other students access is crucial. We have a policy that prohibits locking a computer for more than 30 minutes, but no real way to enforce it.
Thank you in advance.
I'm searching for a way to check how long a workstation has been 'Locked' via the standard Ctrl-Alt-Del windows locking mechanism. Poking around the forums here, I located this information:
(Msg. 5) Posted: Thu Jun 24, 2004 3:49 pm
Post subject: Re: "Lock Computer" Log [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
First auditing of logon events has to be enabled on the computer via Local Security Policy or possibly domain level if in a domain. Then you can search the security log in Event Viewer for Event ID's 528 [logon] and 538 [logoff] but only for logon type 7 which indictes the the computer was locked/unlocked. --- Steve
While this seems to be just the ticket, there is a problem. No event seems to be logged into the security log when the computer is initially locked; instead the 528:7 and 538:7 events are logged simultaneously when the computer is unlocked. Obviously, this does me no good, as I'm attempting to access a computer that is currently locked, and determine when it entered that state.
Is this simultaneous logging an error in our settings somewhere or is it an unfortunate part of windows? If the latter, is there any other way to check the duration of a lock?
I'm an administrator for a university with a busy computer lab. Our students have recently fallen into the habit of checking out a computer before class, locking it while they are away at class for 3 or 4 hours, then returning to have a workstation waiting for them instead of having to wait. A method to determine who is legitimately away for a few minutes to grab a snack from those who are denying other students access is crucial. We have a policy that prohibits locking a computer for more than 30 minutes, but no real way to enforce it.
Thank you in advance.