As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.
This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.
This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
In brief what you need to do is the following:
- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page is needed in that site
- Enable logging for that site
- Make a logon/logout script that make a request to that site
- Attach and deploy those scripts to the GPO
I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on 192.168.0.15 port 8595 and the dummy page name default.htm
The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.
Sample log output:
2011-02-27 12:36:17 LOGON,sam.jones,Accountant1-PC,Sunday,2011-2-27,15:36:17 192.168.0.99
2011-02-27 12:41:38 LOGOUT, sam.jones, Accountant1-PC,Sunday,2011-2-27,15:41:39 192.168.0.99
And the script :
'create the request object
Set o = CreateObject("MSXML2.ServerXMLHTTP")
'create the network object to get computer and user info
Set objNetwork = CreateObject("Wscript.Network")
'day and time format
parm1 = WScript.Arguments(0) '-- this argument is passed by GPO (script parameter)
mnow = now
WhenStr = WeekdayName(weekday(mnow)) & "," & Year(mnow) &"-" & Month(mnow)&"-" & Day(mnow)& "," & Hour(mnow)& ":" & Minute(mnow) & ":"& Second(mnow)
'make the request HLG used instead of GET, so you can filter out requests made by the browser
o.open "HLG", "http://192.168.0.15:8595/default.htm?"& parm1 & "," & objNetwork.UserName & "," & objNetwork.ComputerName &","& WhenStr
set o = Nothing
set objNetwork = Nothing
Please accept my apology for any inconvenient wording and formatting because this is my first article.
But hope you will find some useful pieces that you can incorporate into your own scripts. If you have any questions or comments, I would love to hear from you. Oh, and don’t forget to vote if you found this Article helpful.