[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Making Simple centralized  Logging for logon/logout events on AD Computers

Published on
10,362 Points
1 Endorsement
Last Modified:
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.

This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.

This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
In brief what you need to do is the following:
1- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page  is needed in that site
2- Enable logging for that site
3- Make a logon/logout script that make a request to that site
4- Attach and deploy those scripts to the GPO

I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on port 8595 and the dummy page name default.htm

The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.

Sample log output:

2011-02-27 12:36:17 LOGON,sam.jones,Accountant1-PC,Sunday,2011-2-27,15:36:17
2011-02-27 12:41:38 LOGOUT, sam.jones, Accountant1-PC,Sunday,2011-2-27,15:41:39

And the script :
'--- UserLogonLogOff.vbs

Dim o 
'create the request object
Set o = CreateObject("MSXML2.ServerXMLHTTP")
'create the network object to get computer and user info
Set objNetwork = CreateObject("Wscript.Network")
'day and time format
parm1 = WScript.Arguments(0) '-- this argument is passed by GPO (script parameter)
mnow = now
WhenStr = WeekdayName(weekday(mnow)) &  "," & Year(mnow) &"-" & Month(mnow)&"-" & Day(mnow)& "," & Hour(mnow)& ":" & Minute(mnow) & ":"& Second(mnow)  
'make the request HLG used instead of GET, so you can filter out requests made by the browser

o.open "HLG", ""& parm1 & "," & objNetwork.UserName &  "," & objNetwork.ComputerName &","& WhenStr 
set o = Nothing
set objNetwork = Nothing

Open in new window

Please accept my apology for any inconvenient wording and formatting because this is my first article.

But hope you will find some useful pieces that you can incorporate into your own scripts. If you have any questions or comments, I would love to hear from you. Oh, and don’t forget to vote if you found this Article helpful.

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month