Making Simple centralized  Logging for logon/logout events on AD Computers

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our own log.

This simple approach can be used to create a log whenever a user logged in / logged out in any network computer, using GPO logon/logout scripts, and logging provided by IIS.

This tip is focusing on using IIS log instead of writing your own log file, which involves some complications like using shares, locking, user rights ... etc.
In brief what you need to do is the following:
1- Make a simple website and host it in any computer (you can use any DC) only one blank .htm page  is needed in that site
2- Enable logging for that site
3- Make a logon/logout script that make a request to that site
4- Attach and deploy those scripts to the GPO

I will not discuss in detail (maybe another article if I get the requests) how to do the 1,2,4 but I will include the script file used, assuming that they dummy site is on port 8595 and the dummy page name default.htm

The parameter passed to the script can be "LoggedOn" when script is used as logon script and the word "LoggedOut" when it is used for Logout, the query string is built in a way that you can use the log file as comma delimited when importing it to excel for example.

Sample log output:

2011-02-27 12:36:17 LOGON,sam.jones,Accountant1-PC,Sunday,2011-2-27,15:36:17
2011-02-27 12:41:38 LOGOUT, sam.jones, Accountant1-PC,Sunday,2011-2-27,15:41:39

And the script :
'--- UserLogonLogOff.vbs
                      Dim o 
                      'create the request object
                      Set o = CreateObject("MSXML2.ServerXMLHTTP")
                      'create the network object to get computer and user info
                      Set objNetwork = CreateObject("Wscript.Network")
                      'day and time format
                      parm1 = WScript.Arguments(0) '-- this argument is passed by GPO (script parameter)
                      mnow = now
                      WhenStr = WeekdayName(weekday(mnow)) &  "," & Year(mnow) &"-" & Month(mnow)&"-" & Day(mnow)& "," & Hour(mnow)& ":" & Minute(mnow) & ":"& Second(mnow)  
                      'make the request HLG used instead of GET, so you can filter out requests made by the browser
             "HLG", ""& parm1 & "," & objNetwork.UserName &  "," & objNetwork.ComputerName &","& WhenStr 
                      set o = Nothing
                      set objNetwork = Nothing

Open in new window

Please accept my apology for any inconvenient wording and formatting because this is my first article.

But hope you will find some useful pieces that you can incorporate into your own scripts. If you have any questions or comments, I would love to hear from you. Oh, and don’t forget to vote if you found this Article helpful.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.