Jump to content

AD User Logon Logging?

LiquidHonesty

By LiquidHonesty
in Windows XP

 Share

Recommended Posts

LiquidHonesty

LiquidHonesty

Posted
Posted

Ok, here's the jist of what I was wondering if it's possible.

I currently have computers in a student computer setting, customized, that work fine. They're all Windows XP SP2 and all the machines are members on a 2003 AD Domain. Each user logs into the workstation with their own AD UN/PW.

What I'm wondering is if there's a way to make a script run or something else so whenever a user logs in, it records their USERNAME and the MACHINE NAME that they're logging into and Date/Time, to a text file somewhere. Each machine records to the same file, etc. A database would work too, anything! We need this to keep track of what user was on what machine and at what time.

(Note, I can't just look at the machines to find this data out as I use deep freeze and thus all data is removed off the individual machines nightly).

Thanks for ANY help or direction pointing you all can provide!

Link to comment
Share on other sites

janus zeal

janus zeal

Posted
Posted

Map a network drive on the computer where you want the file stored.

in \documents and settings\all users\start menu\startup\ create this batch file:

@echo off
 [x]:
 cd\
 echo username:%username%, workstation: %computername%, time:%time%, date:%date% > %date%_%random%.txt
 exit

im not sure how to make a good output file name for this, so its the current date followed by a random number.

a simple search inside the text files in the folder could find what you need.

replace [x] with the letter of the maped drive.

Link to comment
Share on other sites
LiquidHonesty

LiquidHonesty

Posted
  • Author
Posted (edited)
Map a network drive on the computer where you want the file stored.

in \documents and settings\all users\start menu\startup\ create this batch file:

@echo off
 [x]:
 cd\
 echo username:%username%, workstation: %computername%, time:%time%, date:%date% > %date%_%random%.txt
 exit

im not sure how to make a good output file name for this, so its the current date followed by a random number.

a simple search inside the text files in the folder could find what you need.

replace [x] with the letter of the maped drive.

That kind of works, but it doesn't increment the file, instead each machine just over writes the existing file that's already there which it seems to name "Fri" which I assume is for Friday and it has no extension. This "Fri" file's contents look like this:

username:EMITCHELL0001, workstation: SOM-GHOSTLAP, time:17:34:21.92, date:Fri 06/02/2006  06/02/2006_28078.txt

But we're on the right track....thanks a ton for this.

Also, any ideas on how to log when they logoff?

Edited by LiquidHonesty
Link to comment
Share on other sites
LiquidHonesty

LiquidHonesty

Posted
  • Author
Posted

Ok, I think I got part of it figured out. Seems it was stopping at the "Fri" part of the date and dropping off due to the space. I changed the file creation to ComputerName_Random.txt and I think this will work just fine actually.

HOWEVER, any way to increment the same text file instead of creating a new one each time? To make it just create a new file if there's not one there, and if there is just add a line?

Link to comment
Share on other sites
LiquidHonesty

LiquidHonesty

Posted
  • Author
Posted

Ok, for reference I found it out....if you use >> instead of just > then it adds it to the same file.

Thanks again Janus, this will work just fine. However, if anyone knows how to get it to write a logoff as well, please let me know.

Link to comment
Share on other sites
janus zeal

janus zeal

Posted
Posted (edited)

your welcome, sorry the original code didnt work as i expected. if your having it add to the old file you might as well remove the random number at the end of the file name.

i have another idea for this. if it is possable to have them logoff useing a batch file, then you could just use a mod of the file above, and put

shutdown -l

at the end.

Edited by janus zeal
Link to comment
Share on other sites
LLXX

LLXX

Posted
Posted (edited)
your welcome, sorry the original code didnt work as i expected. if your having it add to the old file you might as well remove the random number at the end of the file name.

i have another idea for this. if it is possable to have them logoff useing a batch file, then you could just use a mod of the file above, and put

shutdown -l

at the end.

The logoff.exe can be renamed to something else, and a small program can be written to replace the logoff.exe, to perform whatever is needed before executing the real logoff program. Edited by LLXX
Link to comment
Share on other sites
LiquidHonesty

LiquidHonesty

Posted
  • Author
Posted

your welcome, sorry the original code didnt work as i expected. if your having it add to the old file you might as well remove the random number at the end of the file name.

i have another idea for this. if it is possable to have them logoff useing a batch file, then you could just use a mod of the file above, and put

shutdown -l

at the end.

The logoff.exe can be renamed to something else, and a small program can be written to replace the logoff.exe, to perform whatever is needed before executing the real logoff program.

Hrm, this is a thought. Can you create .exe files from .cmd? Also, if the file can't be written (ie, network is down) will it go ahead and execute the logoff command?

Link to comment
Share on other sites
janus zeal

janus zeal

Posted
Posted (edited)

your welcome, sorry the original code didnt work as i expected. if your having it add to the old file you might as well remove the random number at the end of the file name.

i have another idea for this. if it is possable to have them logoff useing a batch file, then you could just use a mod of the file above, and put

shutdown -l

at the end.

The logoff.exe can be renamed to something else, and a small program can be written to replace the logoff.exe, to perform whatever is needed before executing the real logoff program.

Hrm, this is a thought. Can you create .exe files from .cmd? Also, if the file can't be written (ie, network is down) will it go ahead and execute the logoff command?

yes, and yes. if you want to you can make the batch file and i can compile it into an exe. (send PM)

the only problem is that i dont think the computer calls logoff.exe when someone clicks logoff. im going to do a test to see...

---edit---

that wont work, logoff.exe isnt called. its an api call to shell32.dll (not sure about the dll).

i still think that telling them to use a batch file to logoff would work, then remove the logoff command from the startmenu.

Edited by janus zeal
Link to comment
Share on other sites
Mr Snrub

Mr Snrub

Posted
Posted

I would use a simpler logon script batch file:

echo %username% logged ON at %time% on %date% >> \\some_server\share\folder\logon-%computername%.txt

Replace the UNC path with something more appropriate, no need to map a drive letter or change working directly, disable echo, etc. for such a simple log.

It is possible to set up logoff scripts in the same way via Group Policy if you want to record when users logged off the machine too.

User Configuration / Windows Settings / Scripts (Logon/Logoff) -> Logoff

echo %username% logged OFF at %time% on %date% >> \\some_server\share\folder\logon-%computername%.txt

This would generate and append to a single log file per workstation, recording the logon and logoff time of every user - so long as the client machine can reach the share and the user has write access to the log.

(So it might be wise to create the share with a $ appended so it is hidden from browsing.)

Link to comment
Share on other sites
Mr Snrub

Mr Snrub

Posted
Posted (edited)

Handling of UNC paths is not usually a problem, however a command prompt does like a drive letter associated with it to have a valid current working directory, so if the batch file were not local then it could have a problem.

You could have the batch file present somewhere on each client's local drive, locked in by Deep Freeze, then use either a local policy or group policy to start it to avoid this problem.

Or, you could use a script to achieve the same result and this can happily be run from a UNC path (such as the folder where the group policy files are located on the DCs) - this would save you having multiple copies of the script/batch file all over the place:

Logon Script:

' Variables for use in the script
const ForAppending = 8
dim objShell
dim strUsername, strComputername, strSession
dim objFSO, objFile
dim strFilename

' Get the environment strings into variables
Set objShell = WScript.CreateObject("WScript.Shell")
strUserName = objShell.ExpandEnvironmentStrings("%USERNAME%")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
strSession = objShell.ExpandEnvironmentStrings("%SESSIONNAME%")

' Prepare the file for appending, create if necessary
strFilename = "\\SERVERNAME\SHARENAME\FOLDERNAME\logon-logoff.log"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFilename, ForAppending, True)

' Write the line to the log file
objFile.WriteLine(Date() & " " & Time() & " - " & strUserName & " logged ON to " & strComputerName & " (session: " & strSession & ")")

' Close the file
objFile.Close

Logoff Script:

' Variables for use in the script
const ForAppending = 8
dim objShell
dim strUsername, strComputername
dim objFSO, objFile
dim strFilename

' Get the environment strings into variables
Set objShell = WScript.CreateObject("WScript.Shell")
strUserName = objShell.ExpandEnvironmentStrings("%USERNAME%")
strComputerName = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%")

' Prepare the file for appending, create if necessary
strFilename = "\\SERVERNAME\SHARENAME\FOLDERNAME\logon-logoff.log"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFilename, ForAppending, True)

' Write the line to the log file
objFile.WriteLine(Date() & " " & Time() & " - " & strUserName & " logged OFF " & strComputerName)

' Close the file
objFile.Close

This appends all the logon/logoff events into a single log file with the date, time, client name & session ID (so it covers Terminal Services too).

Save them as 2 separate .vbs files and create a group policy with them both called accordingly via:

User Configuration / Windows Settings / Scripts (Logon/Logoff) -> Logon

User Configuration / Windows Settings / Scripts (Logon/Logoff) -> Logoff

Copy the .vbs files into the folder in the SYSVOL share where the policy resides and they are guaranteed (so long as the client has a working scripting engine) to execute if the policy is processed.

Edited by Mr Snrub
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...