0

The Security Event Log logs all types of "logon events" - Interactive, batch, service, remote-network. This is one way of getting to the bottom of who logged on to a server.

Then there's the profile folders under C:\Users

What else can be used in order to make the determination as to which user accounts are "using" a particular Windows server (whether remotely or interactively)?

Thanks

Spirited Warrior
  • 19
  • 2

1 Answers1

0

You can look for Logon Type 2 (local interactive) or 10 (remote interactive) in the event log, or you can look at the list of user profiles in Advanced system settings. Either one should get you the info you're loooking for.

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

joeqwerty
  • 109,901
  • 6
  • 81
  • 172