I'm trying to create a report when a user physically sits at their Windows workstation and logs into the domain at the beginning of the day. So far the best I've come up with is MS Event ID 672. Explanation from UltimateWindowsSecurity is: "At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT." This event also seems to relate to workstation unlock events.
I'd like to know if anyone has attempted a similar report and if they have better results. I believe one inconsistency is if the user has their workstation locked with a connection to a Citrix session it will continue to "handshake" with that session so I had to set up an exclusion of the Citrix server IP. Still, there are logon events recorded during non-business hours on users who have no remote access except OWA.
Any help is appreciated.