Making Simple centralized  Logging for logon/logout events on AD Computers

Published on
10,350 Points
1 Endorsement
Last Modified:
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.

This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.

This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
In brief what you need to do is the following:
1- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page  is needed in that site
2- Enable logging for that site
3- Make a logon/logout script that make a request to that site
4- Attach and deploy those scripts to the GPO

I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on port 8595 and the dummy page name default.htm

The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.

Sample log output:

2011-02-27 12:36:17 LOGON,sam.jones,Accountant1-PC,Sunday,2011-2-27,15:36:17
2011-02-27 12:41:38 LOGOUT, sam.jones, Accountant1-PC,Sunday,2011-2-27,15:41:39

And the script :
'--- UserLogonLogOff.vbs

Dim o 
'create the request object
Set o = CreateObject("MSXML2.ServerXMLHTTP")
'create the network object to get computer and user info
Set objNetwork = CreateObject("Wscript.Network")
'day and time format
parm1 = WScript.Arguments(0) '-- this argument is passed by GPO (script parameter)
mnow = now
WhenStr = WeekdayName(weekday(mnow)) &  "," & Year(mnow) &"-" & Month(mnow)&"-" & Day(mnow)& "," & Hour(mnow)& ":" & Minute(mnow) & ":"& Second(mnow)  
'make the request HLG used instead of GET, so you can filter out requests made by the browser

o.open "HLG", ""& parm1 & "," & objNetwork.UserName &  "," & objNetwork.ComputerName &","& WhenStr 
set o = Nothing
set objNetwork = Nothing

Open in new window

Please accept my apology for any inconvenient wording and formatting because this is my first article.

But hope you will find some useful pieces that you can incorporate into your own scripts. If you have any questions or comments, I would love to hear from you. Oh, and don’t forget to vote if you found this Article helpful.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Join & Write a Comment

Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month