First, make sure that you're legally entitled to search this computer. Check with your legal and HR departments to ensure the employee had acknowledged your acceptable computer use policy, and that the employee was specifically told that their behavior was being monitored. You can tell who was logged into the computer if:
- You have user-specific accounts created (everyone doesn?t log on as ?Administrator?).
- You have successful logon auditing enabled on the client computer.
- The security logs are still available?depending on the configuration, these may be deleted after a certain period of time or number of events.
If you meet all of these requirements, just look in the Security Event Log of the computer. You?ll find the Event Viewer located in the Administrative Tools folder.
This was first published in August 2002