This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2009-11-03 02:12 PM

Report when a user physically sits in front of computer and logs in at the beginning of the day

I'm trying to create a report when a user physically sits at their Windows workstation and logs into the domain at the beginning of the day. So far the best I've come up with is MS Event ID 672. Explanation from UltimateWindowsSecurity is: "At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT." This event also seems to relate to workstation unlock events.

 

I'd like to know if anyone has attempted a similar report and if they have better results. I believe one inconsistency is if the user has their workstation locked with a connection to a Citrix session it will continue to "handshake" with that session so I had to set up an exclusion of the Citrix server IP. Still, there are logon events recorded during non-business hours on users who have no remote access except OWA.

 

Any help is appreciated.

0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2009-11-04 01:42 PM

How about Event 528 (or 4624)?  I'm assuming that you are recording the logs from the workstation as well and not just from your domain controllers. 
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-11-04 03:43 PM

I do not gather logs from workstations. I can go to the workstation and observe the logs on a particular box, but the domain controller is the one handling the logon event, or controlling the authentication process. I think 672 (4768?) is the best single event to determine when someone is physically at their workstation, hitting the keys to input their credentials to either logon or unlock their workstation. I'm wondering if there is a better way to do it within Envision's structure, or if there is another way others are able to discover this information accurately.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.