• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 432
  • Last Modified:

How to make Active Directory to save in archive TXT or XML logon/logoff (username, date and time) of each user?

Hello experts!  
How to make Active Directory to save in archive TXT or XML logon/logoff (username, date and time) of each user?

Thanks
Wanderson
0
PINWAN
Asked:
PINWAN
  • 3
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
If your auditing this in your event log's then it can be easy. With 2003 and Xp pro there is a utility called Wmic.exe that is able to poll various wmi classes and output them into csv,xml,html.

I'm not very good at wmic yet... this doesn't yeild much good info
/output:c:\file1 wmic /namespace:\\root\cimv2 path Win32_NTLogEvent get eventcode /value |find "529" /format:xml.xsl
/append:c:\file1wmic /namespace:\\root\cimv2 path Win32_NTLogEvent get eventcode /value |find "528" /format:xml.xsl

you can play around with
wmic /namespace:\\root\cimv2 path Win32_NTLogEvent get /?
to list the other objects you can query

Here is a script that should work, but the format is text
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0126.mspx
-rich
0
 
PINWANAuthor Commented:
Hi Rich.

Do you can help me. I need to do this give the logins/logoff in the Windows 2000 Server with Active Directory.
I try to run your tip and don't work fine.

Regards,

Wanderson Pin
0
 
Rich RumbleSecurity SamuraiCommented:
This will pull info off the computer it's run on...

strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '529'")
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

If you want to run it on another pc remotely, try this one: (replace "IP_or_DNS_name" with the ip of the server you want the logs from- or use the DNS name of that server)
strComputer = "IP_or_DNS_name"
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '529'")
For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Copy that to a text file. Rename from .txt to .vbs and run in a command window
cscript /nologo file.vbs   (file.vbs is the name of the .vbs file the above script is located in)
and you'll see the output on the screen to redirect to a file do:
cscript /nologo file.vbs >output.txt
-rich
0
 
PINWANAuthor Commented:
Hi Rich.
Bom dia.

Script that you it sent functioned with event 529 (logon).  Thanks.

How to obtain logoff ?
The event logoff is the 528?  

Another question:  
Is possible to twirl one script similar to script of logon when the user effects logoff?

The question is the following one:
Here in the company, we need to know the worked hours of each employee and think about using the eventos of login/logoff to measure the worked hours.


Thanks again.
Wanderson Pin
From Brazil
0
 
Rich RumbleSecurity SamuraiCommented:
You could try to do this- if everyone is logging off when they leave... it'd probably work well. If the employee's know how you've started tracking them, they could leave early and have a co-worker log them off at a later time...

You can use the following modification to the script to get both 529 and 528 (or just run 2 scripts, change 529 to 528 in the second)
(these are lines 3,4 and 5 of the script- line 5 is really all that changes)

Set colEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
            & "EventCode = '529'" & "EventCode = '528'")

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_intlg_tools.asp
-rich
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now