SEARCH

How-To Geek

How To See Who Logged Into a Computer and When

image

Have you ever wanted to monitor who’s logging into your computer and when? On Professional editions of Windows, you can enable logon auditing to have Windows track which user accounts log in and when.

The Audit logon events setting tracks both local logins and network logins. Each logon event specifies the user account that logged on and the time the login took place. You can also see when users logged off.

Enable Logon Auditing

First, open the local group policy editor – press the Windows key, type gpedit.msc in the Start menu, and press Enter. (You can also enable logon event auditing on a domain controller if you administer a network with centralized logins.)

image

Navigate to the following folder: Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Audit Policy.

image

Double-click the Audit logon events policy setting in the right pane to adjust its options. In the properties window, enable the Success checkbox to log successful logons. You can also enable the Failure checkbox to log failed logins.

image

Viewing Logon Events

After enabling this setting, Windows will log logon events – including a username and time – to the system security log.

To view these events, open the Event Viewer – press the Windows key, type Event Viewer, and press Enter to open it.

image

Navigate to the Windows Logs –> Security category in the event viewer.

Look for events with event ID 4624 – these represent successful login events.

image

To see more information – such as the user account that logged into the computer – you can double-click the event and scroll down in the text box. (You can also scroll down in the text box underneath the list of events.)

image

If your security log is cluttered, you can click the Filter Current Log option in the sidebar and filter by event ID 4624. The Event Viewer will display only logon events.

Because this is just another event in the Windows event log with a specific event ID, you can also use the Task Scheduler to take action when a logon occurs. You can even have Windows email you when someone logs on.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 09/13/12

Comments (17)

  1. AJ

    nice article.
    i like the id “Someone Else” in first pic … lol …

  2. r

    I have several accounts on my mobile workstation, but they are all for me. As long as I’m an IT dude & server admin nobody else has an account to log on to this computer…& that’s also why I bought my wife a Mac-book :P

  3. HoOz

    nice nd very useful

  4. Ken

    Is it possible on Linux Ubuntu?

  5. Diwan Bisht

    Very fantastic article. wounder-full job ………

  6. Def M

    The Group Policy editor is not available with Windows 7 Home Premium .

  7. Baback

    Nice article, thanks

  8. Jason

    I tried this on one of our company’s conference room workstations and after a week, it would no longer allow users other than admin to log in because the security log was full. I had to log in, clear the logs and turn off auditing. Any suggestions on working around this issue? (This was an XP Pro machine, if relevant.)

  9. r

    @ Jason:
    start “event viewer” > in the console tree navigate to & select the event log you want to manage > on the “action menu” click Properties> in “maximum log size” use the spin-control to set the value you want
    –in your case increase it to whatever is necessary. This may help

  10. Bob Christofano

    Good article. Thank you very mucyh.

  11. Jason

    @R Thanks I’ll give it a shot.

  12. jobin

    Can i do the same in domain policy and how can i save the log files in a separate folder

  13. Mesum Hossain

    This is an amazing and very informative article.

  14. sally mwale

    I always wondered if such a thing ever was possible..
    thanks it changed everything

  15. Torwin

    I looked at Security Policies, saw that no auditing was enabled, and ticked the boxes for successful and failed log-ons. Then looked at the Security Log and found it was not empty, there was already ~32,000 events recorded going back months. Looks like events are recorded regardless of settings. “Enabling the Audit” actually enables display what is already there.

  16. rishirajsurti

    Please have a option for “saving the article”, of which all the saved articles can be accessed in future by the member.

  17. severos

    amazing stuff

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!