Easy enough:
SELECT w.Name AS ComputerName, l.[User] as LoggedUser, CONVERT(FLOAT,l.Duration / 60.0) AS DurationHrs
FROM Wrksta w
INNER JOIN Evt_AeX_Client_LogOn l ON l._ResourceGuid = w.Guid
INNER JOIN AeXInv_AeX_OS_User_Profiles p ON p.WrkstaId = w.WrkstaId AND p.[User] = l.[User]
WHERE l.Event = 'Logoff'
AND l.Duration <> 0
AND CONVERT(FLOAT,l.Duration / 60.0) > 10
AND l._eventTime > DATEADD(Day, -30, CURRENT_TIMESTAMP)
AND p.[Admin Access] = 1
ORDER BY ComputerName, l.Duration DESC
The AeXInv_AeX_OS_User_Profiles view allows us to see which profiles are on the machine and which ones have admin access. So, we join up to that group and that gets us away from having to specify actual user ids.
For the event time, I still this it is easiest to use the logoff events simply b/c it has a corresponding logon event. Instead of doing something like AND l._eventTime > DATEADD(Day, -30, CURRENT_TIMESTAMP), you could do something like AND l._eventTime BETWEEN '11/30/2008' AND '03/15/2009'.
However, this still doesn't solve the problem of a user logging and and net yet logging out. A user with admin rights could have logged in a month ago and not yet logged out, so we don't pick it up in this query. I will need to think on that one a little bit.
RS