Foukos7
asked on
Audit User logon/logoff
Hi to all
I have a really simply question, I am running a w2k3 domain and 2003 terminal server, My manager wants to view when people logon and logoff
during the day. Throught gp i have enabled to audit all logon/logoff events. My problem is that it takes too much time to search trought the security logs cause it audits system logons as well. Is there a way to output events in a txt file or similar in a more readable way. Lets say user date time and logon or logoff.
Many Tanks,
Foukos
Keep up the good work!!!
I have a really simply question, I am running a w2k3 domain and 2003 terminal server, My manager wants to view when people logon and logoff
during the day. Throught gp i have enabled to audit all logon/logoff events. My problem is that it takes too much time to search trought the security logs cause it audits system logons as well. Is there a way to output events in a txt file or similar in a more readable way. Lets say user date time and logon or logoff.
Many Tanks,
Foukos
Keep up the good work!!!
There are also a stack of event log report engines out there that may be helpful.
For example:
http://manageengine.adventnet.com/products/eventlog/eventlog-reports.html
For example:
http://manageengine.adventnet.com/products/eventlog/eventlog-reports.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your effort!!!
RobWill gets top points. Solution nice and simple worked right away
Many thanks keep up the good work guys.
RobWill gets top points. Solution nice and simple worked right away
Many thanks keep up the good work guys.
ASKER
One little question to RobWill.
Why after variables date and time you use ~0,12% and ~0,5%?
Why after variables date and time you use ~0,12% and ~0,5%?
>>Why after variables date and time you use ~0,12% and ~0,5%?
Actually date part should read %Date:~0,14%
Using just time returns:
The current time is: 10:00:00.00
Enter the new time:
Where as %time% only returns the value
10:00:00.0
Finally, %Time:~0,5% returns the value but only displays from character 0 to 5, i.e. the first 5 characters, including spaces, if they exist
10:00
It is just to tidy up the value for report purposes. Actually with date it really is not needed as I was using the whole thing, but assures the length will be 12 (should be 14) characters so spacing in the report will be consistent.
Thanks Foukos7
Actually date part should read %Date:~0,14%
Using just time returns:
The current time is: 10:00:00.00
Enter the new time:
Where as %time% only returns the value
10:00:00.0
Finally, %Time:~0,5% returns the value but only displays from character 0 to 5, i.e. the first 5 characters, including spaces, if they exist
10:00
It is just to tidy up the value for report purposes. Actually with date it really is not needed as I was using the whole thing, but assures the length will be 12 (should be 14) characters so spacing in the report will be consistent.
Thanks Foukos7
I added the scripts to my GPO but they are not writing to the log.
I get the following error in the event log:
Event Type: Error
Event Source: UserInit
Event Category: None
Event ID: 1000
Date: 6/18/2008
Time: 9:08:38 AM
User: N/A
Computer: H02GGMOAPP003
Description:
Could not execute the following script LogUser_ON. No application is associated with the specified file for this operation.
.
I think I may have the wrong (or none) extension on the script file names
They are named LogUser_ON and LogUser_OFF
Thanks for your help
I get the following error in the event log:
Event Type: Error
Event Source: UserInit
Event Category: None
Event ID: 1000
Date: 6/18/2008
Time: 9:08:38 AM
User: N/A
Computer: H02GGMOAPP003
Description:
Could not execute the following script LogUser_ON. No application is associated with the specified file for this operation.
.
I think I may have the wrong (or none) extension on the script file names
They are named LogUser_ON and LogUser_OFF
Thanks for your help
File name must end with .bat
If you save the file with Notepad and the .bat extension it will default to .bat.txt
Edit the extension or when saving with Notepad use quotes around the name which will assure an additional extension is not added "LogUser_ON.bat"
If you save the file with Notepad and the .bat extension it will default to .bat.txt
Edit the extension or when saving with Notepad use quotes around the name which will assure an additional extension is not added "LogUser_ON.bat"
Dummy me... I added .bat to the file names and everything works great now!!
Excellent! Glad to hear.
It's a common mistake due to text editors changing extensions.
Cheers !
--Rob
It's a common mistake due to text editors changing extensions.
Cheers !
--Rob
in this trick, user is can see the cmd.exe executing on the screen and can see the path of sysvol folder and can go to file and do the changes...
any suggestion to hide it?
any suggestion to hide it?
At the start of the batch file add
Echo off
It should help. If the user has any knowledge they can usually access the NetLOGON/Sysvol folder quite easily anyway. However they should only have read privileges.
Echo off
It should help. If the user has any knowledge they can usually access the NetLOGON/Sysvol folder quite easily anyway. However they should only have read privileges.
User can see \ServerName\Logs\LogOns.Lo g and can do the changes.. coz logfile is created by user's credentials.
Is there a way to write computer name, username, date, logon, logoff straight to MS-SQL instead of a text file? This way we can do a quick query instead of going to a files by file. We have 100 + in our company.
I am sure there is, but I am not a programmer and I am afraid I am of no help in that area.
--Rob
--Rob
Let me ask you this. If you don't mind. When exactly does Log on scrip run? After user does "Ctrl, alt, delete? Same with logoff.
rem Log on script
If Exist "\\ServerName\Logs\LogOns. Log" GoTo START1
Echo Log File > "\\ServerName\Logs\LogOns. Log"
:START1
Echo. >> "\\ServerName\Logs\LogOns. Log"
Echo -------------------------- ---------- ---------- -------- >> "\\ServerName\Logs\LogOns. Log"
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns. Log"
Exit
========================== ========== ==========
rem Log off script
If Exist "\\ServerName\Logs\LogOns. Log" GoTo START2
Echo Log File > "\\ServerName\Logs\LogOns. Log"
:START2
Echo. >> "\\ServerName\Logs\LogOns. Log"
Echo Log Off: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns. Log"
EXIT
rem Log on script
If Exist "\\ServerName\Logs\LogOns.
Echo Log File > "\\ServerName\Logs\LogOns.
:START1
Echo. >> "\\ServerName\Logs\LogOns.
Echo --------------------------
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns.
Exit
==========================
rem Log off script
If Exist "\\ServerName\Logs\LogOns.
Echo Log File > "\\ServerName\Logs\LogOns.
:START2
Echo. >> "\\ServerName\Logs\LogOns.
Echo Log Off: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns.
EXIT
It depends on how you apply it. The intent is to use group policy and logon and log off scripts. It is then applied after the user enters their user name and password at logon, and after they click log off or shut down, the same as any logon script.
Not meaning to be rude, but Experts-Exchange guidelines state that this is Foukos7's question, and if you would like to discuss further you should open a new question.
--Rob
Not meaning to be rude, but Experts-Exchange guidelines state that this is Foukos7's question, and if you would like to discuss further you should open a new question.
--Rob
Brian