InTrust lets you gather two types of data related to users logging on and off computers:
For logon and user session tracking to be complete, make sure both the “Windows Security Log” and “InTrust User Session Tracking” data sources are enabled in your collections. For details about enabling data sources, see Managing Collections.
For the purposes of this topic, configure logon event gathering only from domain controllers. Take the following steps:
After this, agents are installed on the domain controllers, and gathering starts automatically.
If you want to watch other computers in addition to or instead of domain controllers (for example, Exchange or file servers), create a new collection and add all the computers you need to it. Configure the gathering options for this collection likewise.
To confirm that auditing is working as intended, deliberately perform some of the activity you are watching for on the computers you are watching. Do any of the following:
Next, check that your actions have been captured in the repository.
The InTrust Repository Viewer application lets you explore and analyze the contents of InTrust repositories. To browse the repository you have been collecting to, run Repository Viewer from the Start menu, and click File | Open Repository.
In the dialog box that opens, select the Production repository option, and proceed to specify the repository you have been working with.
Note: A production repository is a repository that is available in InTrust Deployment Manager or InTrust Manager. For details about production and idle repositories, see Repository Connections.
The left pane of the Repository Viewer console shows:
You can select any of the search folder nodes or any of the repository hierarchy nodes, and view the events they contain by clicking the Go button. For the purposes of this document, the following predefined searches are useful:
Select one of these searches and click Go. If events about your activity are displayed in the right pane, then auditing has been set up correctly.
For detailed Repository Viewer documentation, see Searching in Repositories with Repository Viewer.
This guide dealt with the default InTrust configuration. If you are interested in other InTrust capabilities and alternative workflows, or if you need in-depth information about the topics covered here, go to the InTrust online documentation library.