Need to have a log of users logging into a Windows 2000 Server / Domain


I *do* know this question has been asked, but I want to see if there is any updated method or better way.

What I need is a way to log everytime a user logs into our domain on a Windows 2000 server, with user name, date & time; and if possible, what time they log off.

I found this script yesterday here on E-E:

for /f "Tokens=1-4 Delims=/ " %%i in ('date /t') do set dt=%%i-%%j-%%k-%%l
set dtt=%dt%
echo %username% log into %logonserver% at %time% %date% >> \\lri-server\logs\%dtt%.log

This script only works if you are logging on the server directly.  I need the logs to be stored on the server, not on the workstation.

One reason I need this information is to know if a user is coming into the office after hours, what time they were on the network and when they logged out.

Obviously, I need the log to be appended so that each new user is added to the list, not a new list created.

Thanks for your help.....
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Set up a policy to run script on login and logout.

save log to 2000 Server on a public share with no Read and Filescan

@echo off
echo Log In %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC\%COMPUTERNAME%.log
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER\%NWUSERNAME%.log

@echo off
echo Log Out %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC\%COMPUTERNAME%.log
echo Log Out %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER\%NWUSERNAME%.log
"Obviously, I need the log to be appended so that each new user is added to the list, not a new list created."

Set up a policy to run script on login and logout.

save log to 2000 Server on a public share with no Read and Filescan

@echo off
echo Log In %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC.log
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER.log

@echo off
echo Log Out %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC.log
echo Log Out %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER.log
loralAuthor Commented:
Hi D.K.

OK,  here's what I've tried so far.

I went into Active Directory
I right clicked on my domain
I chose Properties
I clicked Group Policy
I clicked Add
I created a Policy and named it "Login and Logout Logs"
Under the User Configuration, I clicked the + by Windows Settings
I clicked on Scripts (Logon/Logoff)
I double clicked both the Logon and Logoff in the right pane and pointed them to the logon.bat & logoff.bat respectively.
After closing up the console and AD, etc.  I ran a test logon from a workstation.

I'm not getting any logging.  I tried numerous users, and the same results.  Obviously, I edited the path from your script above to point to my server name, and location to my shared folder, but otherwise copied & pasted your script into the Logon.bat & Logoff.bat I created.

Any ideas where I went wrong?

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Try first to set up this policy on a local XP computer, if you get this working you have to make policy distribute to your workstation when login to you domain server.

I use NetWare and don’t now how to set up policy on win2000 server.

Are you sure policy is working use “gpresult /V” to see if you get policy from your domain server.

You can use “GPUpdate /Force” to force policy out.

If you don’t use GP in you domain you can ask an Expert here on how to setup GP on 2000 domain server.

I found this.
Don’t now if this help but you can try.
Rename Logon.bat & Logoff.bat to Logon.cmd & Logoff.cmd
And change in GP to this new name.

loralAuthor Commented:
Hey D.K.

I made a new Group Policy, and it wasn't working.   So, I deleted that policy and just edited the Default Group Policy that was there, and used the same steps as above.

I put the lines you sent  in a logon.bat and logoff.bat file yesterday.   Since yesterday, it did create a pc.log file, and the only thing logged out of 20 users is this:

Log In Wed 04/26/2006 16:42:50.51  
Log In Thu 04/27/2006  9:31:42.06

Both of these entries would be me logging into the server over Term Services into the server.  So, none of the workstations are being logged.

OK, with that said, are you saying I need to make the logon.bat & logoff.bat and append the GP on each workstation?  I was hoping I could just do this on the Server, but it will be a little extra work to put on each workstation, but not impossible.

Thanks again

No you dont have to put policy on all workstations, you need workstations to read policy from 2000 domain server.
type "set" inside "cmd" from a workstations and see your variables
You say
” Both of these entries would be me logging into the server over Term Services into the server.  So, none of the workstations are being logged.”

If this is true you have set this policy local on this server, you should set this
policy to your domain and to user group or users.

Start with something simple change some small stuff like push out control panel settings and work with that until you se it working on workstation.

I’m Not NT expert on policy but a believe you have to set your workstation to
login to this domain to get policy from server.
loralAuthor Commented:
Hi again,

You're on the right track.

All users do log into a domain.  No one but the admin account can logon to the machine on a local account.  All accounts are roaming profiles.

Here is the results of the "set" command from a workstation.  I logged on as a regular user with power user privilages:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cburke\Application Data
CommonProgramFiles=C:\Program Files\Common Files
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
ProgramFiles=C:\Program Files
USERDNSDOMAIN=<our domain>.com    <--- replaced, was listed correctly
USERDOMAIN=<our domain>   <--- replaced, was listed correctly
USERPROFILE=C:\Documents and Settings\cburke

I see I have the Computer name, and is listed correctly, but I don't show NWUSERNAME, just USERNAME.

As I said before, the only GP that was listed was a Default Group Policy.  I edited it to point to the logon & logoff.bat.

“All users do log into a domain”
Are you applying this policy to this domain and user or group you tested?

"I see I have the Computer name, and is listed correctly, but I don't show NWUSERNAME, just USERNAME."
Then you can change %NWUSERNAME% to %USERNAME%

You can type "echo Log In %Date% AT %TIME% AS %USERNAME% ON %COMPUTERNAME%"
to see it work.

To log users logging/logout this while work but to get your policy up and running you need to search internet or ask an expert on
You cold redirect this new question to this then expert while now watt you need.

I can search but I can’t test I have no windows server.

If you get this GP working your life while be easy, all local settings in your network is set from server.  And all things you don’t want user to change are possible to set.

If you are low on points you cold ask support to down this question to 250 points and use rest to new question.  
What I figure out is you can’t use gpedit direct you should use MMC and add
”Active directory users and computers” from this you should set GPO.
loralAuthor Commented:
I'll give those a shot.  I'm a premium member, so points is not an issue.  I raised the points to 500 to keep you interested in continuing to help me out. I would add more, but 500 seems to be the limit.

I used the echo Log In %Date% AT %TIME% AS %USERNAME% ON %COMPUTERNAME%  on my workstation and it does report the correct information.

I'm trying to apply this to the domain.  What I'm doing, and my apologies if this isn't correct; I'm opening up AD, right clicking on my domain, I choose Properties from this menu, I click the Group Policy Tab, I show "Current Group Policy Objects Links for <mydomain>, In the white box area where a list of GP's would be listed, I have one:  Default Domain Policy.   I click "edit", and the GP Console opens.  Under "User Configuration" I am clicking the + by Windows Settings, then I click on "Scripts (Logon/Logoff).  In the right panel, I click the logon & logoff respectively and point them to the logon & logoff.bat files I put in the folders in the winnt\sysvol\... etc. folders.

On adding a GP, I did go to the run command and typed mmc /a and created a new GP, and it does show up using the same method in the previous paragraph, and did the same thing, but it didn't even log the administrator logging in or out.

Oh well, I always seem to have the challenges.  Thanks!


Don’t now if this is the right way, but test this.

But this bat file on a share folder that’s workstation user has right to read,
And then in policy set this same path (\\servername\sharename\login.bat)

Did you test any other policy like Display property or Control panel setting.
Just to see if some GPO while go out to your workstations.
Try some simple GPO like disable “display settings”

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loralAuthor Commented:
Hi again D.K.

Sorry I haven't been in here for a few days, but other duties called.

I'm printing that document you sent the link to now.  I should have some time this afternoon to try your other suggestions also.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.