Here is my search:
EventCode=4624 OR EventCode=4634 NOT (Account_Name=*$* OR Account_Name=*Anonymous* OR Account_Name=SYSTEM) | table _time, Account_Name, host, TaskCategory, Logon_ID
All of my Logoff events return fine, but my Logons are mostly returning with 0x0 and then a carriage return before the actual AD username. For example (in table view):
9 6/29/13 9:39:15.000 PM - TS01 Logon 0x0
bobsmith 0x1af572c2
What problem does this cause? Well none until I export as a CSV and my Account_Name and Logon_ID fields populate with #NAME? in Excel because Microsoft doesn't know what to do with the second line so it just sees it as a faulty value of =-
How do at least get rid of the carriage return, and ideally get rid of the hyphen that prefixes all of my usernames in my logon events? Is this a glitch or am I doing something wrong on my server?