When attempting to run the Logon Sessions report the report keeps timing out. You may encounter this either in Reporting Console, InTrust reporting jobs and/or InTrust Knowledge Portal reports.
This can occur when attempting to track Network Logins, EventID 540, in the Security Log of the Domain Controllers. Domain Controllers can potentially generate thousands (or more) of these events every minute. In other words if you press Ctrl+Alt+Del at a workstation or a server you will have a single 528 event when you log on and a 538 when you log off a few minutes (hours, days, etc) later. However the DC that validates your logon will have multiple 540 (network logon) and 538 (network log off) events for this same time period which makes it problematic to use this DC specific data to generate the report as it will show a lot of very short time periods rather than the actually time logged on.
To get a usable and reasonably quick report you need to generate this data on the workstations and servers (not DCs) in your environment and use this data to generate your report as per below:
1. Within the Domain Security Policy choose Security Settings | Local Policies | Audit Policy and enable 'Audit account logon events' and 'Audit privilege use' (Success and Failure).
2. Collect the 528, 537,538, 540 and 578 events from the Security log as well as event 6006 in the System log of servers and/or workstations you wish to audit (i.e. where the people log on interactively) into a separate repository.
3. Import data from this repository into a Logon Sessions DB.
4. Run the Logon Sessions report with filters set for date, logon type (everything but Network) and possibly workstation name.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center