Report when a user physically sits in front of computer and logs in at the beginning of the day
I'm trying to create a report when a user physically sits at their Windows workstation and logs into the domain at the beginning of the day. So far the best I've come up with is MS Event ID 672. Explanation from UltimateWindowsSecurity is: "At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT." This event also seems to relate to workstation unlock events.
I'd like to know if anyone has attempted a similar report and if they have better results. I believe one inconsistency is if the user has their workstation locked with a connection to a Citrix session it will continue to "handshake" with that session so I had to set up an exclusion of the Citrix server IP. Still, there are logon events recorded during non-business hours on users who have no remote access except OWA.
Any help is appreciated.
I do not gather logs from workstations. I can go to the workstation and observe the logs on a particular box, but the domain controller is the one handling the logon event, or controlling the authentication process. I think 672 (4768?) is the best single event to determine when someone is physically at their workstation, hitting the keys to input their credentials to either logon or unlock their workstation. I'm wondering if there is a better way to do it within Envision's structure, or if there is another way others are able to discover this information accurately.