Skip to main content
Super User

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

6
  • 2
    I find filtering on eventID 4624 to be the best way to extract this information from the Security log.
    – Frank Thomas
    Commented Oct 21, 2015 at 15:57
  • As a side note to my answer, when filtering by event ID the times are no longer in chronological order by time. You could either choose to Filter Current Log... and specify what you want, or you could organize it by Date and Time then look for the correct ID. Assuming you have a general time frame of when this happened, sorting by Date and Time may be the best option.
    – DrZoo
    Commented Oct 21, 2015 at 16:01
  • 1
    Thanks for the reply, but can I tell from which IP address he has logged? Because actually me and my team members all have the administrator account. So when I look at "Account Name", it just gives me "Administrator" which doesn't help.
    – KhaledMaged
    Commented Oct 21, 2015 at 16:07
  • @KhaledMaged as long as you guys all have a different computer, you can tell which computer it is by checking the computer name in the log. The computer name is the field that says Computer. I updated the image and circled the computer name field in blue.
    – DrZoo
    Commented Oct 21, 2015 at 16:12
  • 1
    @DrZoo But this field gives me the name of the remote computer in all cases. Even in the cases where I logged. Only the name of the remote computer itself. I know this may be weird, but that's what I have in front of me.
    – KhaledMaged
    Commented Oct 21, 2015 at 16:24