User Login/Logout log

Did you try checking the Security Log on the server?

you can check audit policy for this

Create a login script that applies to the users
login.bat'

@echo off
echo "On %date% %time%, from %computername% user: %username% logged in Connection Type: %sessionname%" >> \\shareserver\sharename\login_logout.log

Select allOpen in new window

A similar can be used for the logout event.
logout.bat

@echo off
echo "On %date% %time%, from %computername% user: %username% logged out ">> \\shareserver\sharename\login_logout.log

Select allOpen in new window

You could use this as an example and setup a VBscript that will record these events in a database that will be queried.

A user that does not logout will not have a closing session.  There are different tools such as using SNMP and configuring and setting up an SNMPtrapd server.  This way when a user logs in event 528 and 540 could be configured with evntwin to generate an SNMP trap with information on the user, computer, time, and the type of logon.

You can then get those traps and do with as you see fit.  They will record a sleep event and then when unlocked etc.

It all depends on your needs and the time you have to implement this as well as resources i.e. a linux/unix system or use snmptrapd equivalent on the windows platform.

Have  a look at splunk.com.

Thanks guys.  I setup the procedure described in the following:

http://community.spiceworks.com/how_to/show/82

For whatever reason, its not working.  I created the batch files, created the network share on my DC with 'everyone' having full control, did gpedit on the server and configured as per the article but nothing.  Am i missing something?

There are two settings share permissions and security permissions.
What are the security permissions on the file into which log entries will be written?
use a command windows and then run the Login.bat script
do you get an error message?
echo %ERRORLEVEL% after running the script.  If it is anything other than 0 there was a problem in the script.
as a regular user/limited user
try from the command line:
echo "This is a test" >> \\servername\share\computer\%computername%.log
and see what happens.
in this example the computer directory security settings will have to have modify rights to authenticated users.
can you post the output of the server where the share exists:
cacls path\to\the\share\computer?

Arnold,

Ran login.bat from command prompt on the server and it works.  Ran the "this is a test" from a client machine as a domain user and it worked.  Mapped a drive to the server from a client PC and ran login.bat and it worked.  Is it just that the Group Policy is not executing?  If so, what/where to check?  The Gpedit is done at the server, correct?  Nothing to configure on each workstation right?

The group policy has to be refreshed it likely did not propagate..
gpupdate /force

see if the login now updates.

forced the gp update.  had a couple users reboot, still nothing.  Am i missing something on the GP?  On the server, i went to start, run, gpedit.msc, user config, windows settings, scripts, and point it to where the appropriate .bat file is, correct?  

do I need to to do it from active directory?  i.e. right click on the "users" OU and properties and then group policy?  or from group policy management under admin tools?  its SBS 2003.

Any other ideas?

Could you use GPMC and post the settings?

I have no idea what is going on. i.e. the GP might not apply to the user. i.e. where did you link this login/logout GP?

Does it apply to the user you are testing?
Does this GP only set the login script?

There is a 'Staff' OU in AD where its linked.  When I right click on staff and go to properties, there's a group policy tab and under that I have 'open' that opens up the group policy management.  In GPM, i highlight staff and created a new GP.  The link order is 1, GPO is 'new group policy object', under enforced is yes, under link enabled is yes, under gpo status is enabled, wmi filter is none, date created 2/14, and then the domain name.  I then right clicked and selected edit, expand user config, windows settings, scripts and put the path to the bat file under logon and logoff.  

Under properties for logon and logoff, there's a button that says 'show files' to view the script files stored in this gpo and when i click it, it opens up to \\domainname\sysvol\domainname\policies\long number\user\scripts\logon or logoff and its empty.  Should it be?

Let me know if you need additional info.  Appreciate it.

No, here should be the logon.bat and logoff.bat files/scripts that will be executed when the user logs in.

I added them there but still nothing.  Within that same user folder under sysvol, there's a script.ini that has the following:


[Logon]
0CmdLine=E:\Logs\LogOn.bat
0Parameters=
[Logoff]
0CmdLine=E:\Logs\LogOff.bat
0Parameters=

e:\logs\logon.bat is a relative reference which does not exist on the workstation.
copy the Logon.bat into \\domainname\sysvol\domainname\policies\long number\user\scripts\logon and LogOff.bat into \\domainname\sysvol\domainname\policies\long number\user\scripts\logoff

This should do it.

Have not used script.ini but if you must use it, you have to use \\sever\sharename\ to where the file can be located.

Arnold,

I was able to get this working.  Not exactly sure how as I made changes, created a new policy, etc. and eventually one of the things I did work.  The info and steps you gave me are correct though.  I guess I missing something.  Question:  Is it possible to have this same script run on a Mac?  If so, how?  I'm researching it now as well.  I have 3 macs in the network.  Also, there's one laptop that does not login to the domain.  How can i get the script to run?  Can i just install it locally on the laptop and have it run by doing gpedit on the laptop?  Thanks for your help.