Gpedit and Event viewer – I was asked by my boss to record login time of someone in the office. This is can be done by looking at security log on event viewer. But before we can see logon event in event viewer, we have to activate it first using Group Policy Editor. I have to activate successful logon event without user knowledge. So this is kind of secret mission 🙂
Below are steps we need to do to be able to view logon time of someone’s. If possible I do this remotely from my computer, if not I do this on client computer secretly (after working hours). To be able to see event viewer(eventvwr) and group policy (gpedit.msc) you must be a member of local administrator group first.
1. Run event viewer remotely
View event viewer remotely to make sure I can find event id 4648 in security log. To accomplish this job I have to log on as local administrator remotely from my laptop or my account has to be member of local administrator on the target computer. Click Start>Control panel>administrative tool>Event viewer.
You also can type eventvwr.exe from search column. Right click Event viewer and choose connect to another computer, type the target PC name. You should now able to see the event viewer log. Search for event ID 4648, if you can cannot find it, you have to run group policy editor (gpedit.msc) on target computer.
Pic: Windows 7: Remotely access event viewer on other computer.
2. Run Group Policy Editor (gpedit.msc) on target computer
This must be done from target computer because although we can run gpedit.msc remotely, we cannot open security setting. On the search column, type gpedit.msc
On the left section double click windows settings>security settings>local policies>audit policy On the right section double click Audit logon events, and check mark success and failure and click OK.
We are done with the settings on group policy editor. Now we have to put our username as a member of local administrator group so that we can view the event viewer remotely.
3. View event viewer target computer’s remotely
Because before we already put our username into administrator local group, now we can open event viewer remotely form our computer. Click start and type eventvwr.exe
On the left section right click Event viewer and click connect to another computer and type target computer name and click OK.
Filter the result: on the left side right click security and click filter current log. On the keywords: choose audit success and in the event is section type 4648, click OK. Now the result will only displaying event ID 4648.
What information we need to look for?
On the general tab, scroll down and find Account name: after Account whose Credential Were Used: that is the user name we are looking for. Under Logged: is the time when the user above logged in. Now I can see the information I need, like account name and logged time.
See how you can resolve problem cannot login to your computer with error message there are no currently logon server.
Some points we can note here:
We can see event viewer directly from the client computer or remotely but both need our account as a member of local administrator group. The computer must be on when we checking locally or remotely.
Event viewer can only be seen when our account is member of local administrator
We have to activate logon event from group Policy editor first before we can audit successful logon.
Group Policy can be opened remotely but we cannot see security setting section, so we have to logon locally to see it.
I hope you will find this post about How to Open Event Viewer and Group Policy Editor (gpedit.msc) on Remote Machine is useful. See you in the next post.