Goal – audit user logons & logoffs. I enable auditing at the domain level. I go to the OU with the computer object of the user I want to audit and set it to audit “account logon events” and “logon events” for success.
I check the security logs on the local PC (win7) and I can see multiple logon and logoffs. I can see the “account name” for the user I am looking for – so auditing is working.
Q – when I go to filter the log for just that user – no matter what I seem to put in the filter – I get ZERO results. Even though I can see that it is – in fact – there.
So what I am doing wrong? In 2003 server I could do a filter in seconds but something is missing with this.
Should I export the log as a .csv and use excel to do a filter?
So – if anyone has the proper way to do do this – audit an individual logon & logoff and then filter it to just a particular user – it would be greatly appreciated.