we have a pool of floating workstations, I have been getting reports of high blocked sites (up to 1 million times in one day) that come from a couple of workstations each day, and always a different station. Since they are floating and not dedicated stations I was wondering if there is a way to have a log/audit of who has logged in on what machines and when during the day?
Create a GPO to Audit Logon Events on workstations like this: How To See Who Logged Into a Computer and When
You need to enable logon audit first Run GPMC.msc on your domain controller > open “Default Domain Controllers Policy” > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy: Audit account logon events > Define > Success and Failure Then open event log and look for 4624 – Login succeeded related to the workstations that you need. Also event id 4771 can help with that.