Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 214
  • Last Modified:

Need to have a log of users logging into a Windows 2000 Server / Domain

Hello,

I *do* know this question has been asked, but I want to see if there is any updated method or better way.

What I need is a way to log everytime a user logs into our domain on a Windows 2000 server, with user name, date & time; and if possible, what time they log off.

I found this script yesterday here on E-E:

//*
for /f "Tokens=1-4 Delims=/ " %%i in ('date /t') do set dt=%%i-%%j-%%k-%%l
set dtt=%dt%
echo %username% log into %logonserver% at %time% %date% >> \\lri-server\logs\%dtt%.log
*//

This script only works if you are logging on the server directly.  I need the logs to be stored on the server, not on the workstation.

One reason I need this information is to know if a user is coming into the office after hours, what time they were on the network and when they logged out.

Obviously, I need the log to be appended so that each new user is added to the list, not a new list created.

Thanks for your help.....
Loral
0
loral
Asked:
loral
  • 14
  • 5
1 Solution
 
Dark_KingCommented:
Set up a policy to run script on login and logout.

save log to 2000 Server on a public share with no Read and Filescan

===Login.bat===
@echo off
echo Log In %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC\%COMPUTERNAME%.log
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER\%NWUSERNAME%.log
exit


===Logout.bat===
@echo off
echo Log Out %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC\%COMPUTERNAME%.log
echo Log Out %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER\%NWUSERNAME%.log
exit
0
 
Dark_KingCommented:
"Obviously, I need the log to be appended so that each new user is added to the list, not a new list created."
Sorry..

Set up a policy to run script on login and logout.

save log to 2000 Server on a public share with no Read and Filescan

===Login.bat===
@echo off
echo Log In %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC.log
echo Log In %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER.log
exit


===Logout.bat===
@echo off
echo Log Out %Date% %TIME% %NWUSERNAME% >> \\2000Server\USER\share\log\PC.log
echo Log Out %Date% %TIME% %COMPUTERNAME% >> \\2000Server\USER\share\log\USER.log
exit
0
 
loralAuthor Commented:
Hi D.K.

OK,  here's what I've tried so far.

I went into Active Directory
I right clicked on my domain
I chose Properties
I clicked Group Policy
I clicked Add
I created a Policy and named it "Login and Logout Logs"
Under the User Configuration, I clicked the + by Windows Settings
I clicked on Scripts (Logon/Logoff)
I double clicked both the Logon and Logoff in the right pane and pointed them to the logon.bat & logoff.bat respectively.
After closing up the console and AD, etc.  I ran a test logon from a workstation.

I'm not getting any logging.  I tried numerous users, and the same results.  Obviously, I edited the path from your script above to point to my server name, and location to my shared folder, but otherwise copied & pasted your script into the Logon.bat & Logoff.bat I created.

Any ideas where I went wrong?

Thanks
Loral
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Dark_KingCommented:
Try first to set up this policy on a local XP computer, if you get this working you have to make policy distribute to your workstation when login to you domain server.

I use NetWare and don’t now how to set up policy on win2000 server.

Are you sure policy is working use “gpresult /V” to see if you get policy from your domain server.

You can use “GPUpdate /Force” to force policy out.

If you don’t use GP in you domain you can ask an Expert here on how to setup GP on 2000 domain server.
0
 
Dark_KingCommented:

I found this. http://msmvps.com/blogs/kwsupport/archive/2005/02/24/36942.aspx
Don’t now if this help but you can try.
Rename Logon.bat & Logoff.bat to Logon.cmd & Logoff.cmd
And change in GP to this new name.

0
 
loralAuthor Commented:
Hey D.K.

I made a new Group Policy, and it wasn't working.   So, I deleted that policy and just edited the Default Group Policy that was there, and used the same steps as above.

I put the lines you sent  in a logon.bat and logoff.bat file yesterday.   Since yesterday, it did create a pc.log file, and the only thing logged out of 20 users is this:

Log In Wed 04/26/2006 16:42:50.51  
Log In Thu 04/27/2006  9:31:42.06

Both of these entries would be me logging into the server over Term Services into the server.  So, none of the workstations are being logged.

OK, with that said, are you saying I need to make the logon.bat & logoff.bat and append the GP on each workstation?  I was hoping I could just do this on the Server, but it will be a little extra work to put on each workstation, but not impossible.

Thanks again

Loral
0
 
Dark_KingCommented:
No you dont have to put policy on all workstations, you need workstations to read policy from 2000 domain server.
0
 
Dark_KingCommented:
type "set" inside "cmd" from a workstations and see your variables
See if you have NWUSERNAME and COMPUTERNAME
0
 
Dark_KingCommented:
You say
” Both of these entries would be me logging into the server over Term Services into the server.  So, none of the workstations are being logged.”

If this is true you have set this policy local on this server, you should set this
policy to your domain and to user group or users.

Start with something simple change some small stuff like push out control panel settings and work with that until you se it working on workstation.

I’m Not NT expert on policy but a believe you have to set your workstation to
login to this domain to get policy from server.
0
 
loralAuthor Commented:
Hi again,

You're on the right track.

All users do log into a domain.  No one but the admin account can logon to the machine on a local account.  All accounts are roaming profiles.

Here is the results of the "set" command from a workstation.  I logged on as a regular user with power user privilages:

C:\>set
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cburke\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LISA
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=U:
HOMEPATH=\
HOMESHARE=\\Lri-server\users\cburke
LOGONSERVER=\\LRI-SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\WINNT\Command
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\cburke\LOCALS~1\Temp
TMP=C:\DOCUME~1\cburke\LOCALS~1\Temp
USERDNSDOMAIN=<our domain>.com    <--- replaced, was listed correctly
USERDOMAIN=<our domain>   <--- replaced, was listed correctly
USERNAME=cburke
USERPROFILE=C:\Documents and Settings\cburke
windir=C:\WINNT

I see I have the Computer name, and is listed correctly, but I don't show NWUSERNAME, just USERNAME.

As I said before, the only GP that was listed was a Default Group Policy.  I edited it to point to the logon & logoff.bat.

Thanks,
Loral
0
 
Dark_KingCommented:
“All users do log into a domain”
Are you applying this policy to this domain and user or group you tested?

"I see I have the Computer name, and is listed correctly, but I don't show NWUSERNAME, just USERNAME."
Then you can change %NWUSERNAME% to %USERNAME%

You can type "echo Log In %Date% AT %TIME% AS %USERNAME% ON %COMPUTERNAME%"
to see it work.

To log users logging/logout this while work but to get your policy up and running you need to search internet or ask an expert on
http://www.experts-exchange.com/Networking/Microsoft_Network/
You cold redirect this new question to this then expert while now watt you need.

I can search but I can’t test I have no windows server.

If you get this GP working your life while be easy, all local settings in your network is set from server.  And all things you don’t want user to change are possible to set.

If you are low on points you cold ask support to down this question to 250 points and use rest to new question.  
0
 
Dark_KingCommented:
What I figure out is you can’t use gpedit direct you should use MMC and add
”Active directory users and computers” from this you should set GPO.
0
 
loralAuthor Commented:
I'll give those a shot.  I'm a premium member, so points is not an issue.  I raised the points to 500 to keep you interested in continuing to help me out. I would add more, but 500 seems to be the limit.

I used the echo Log In %Date% AT %TIME% AS %USERNAME% ON %COMPUTERNAME%  on my workstation and it does report the correct information.

I'm trying to apply this to the domain.  What I'm doing, and my apologies if this isn't correct; I'm opening up AD, right clicking on my domain, I choose Properties from this menu, I click the Group Policy Tab, I show "Current Group Policy Objects Links for <mydomain>, In the white box area where a list of GP's would be listed, I have one:  Default Domain Policy.   I click "edit", and the GP Console opens.  Under "User Configuration" I am clicking the + by Windows Settings, then I click on "Scripts (Logon/Logoff).  In the right panel, I click the logon & logoff respectively and point them to the logon & logoff.bat files I put in the folders in the winnt\sysvol\... etc. folders.

On adding a GP, I did go to the run command and typed mmc /a and created a new GP, and it does show up using the same method in the previous paragraph, and did the same thing, but it didn't even log the administrator logging in or out.

Oh well, I always seem to have the challenges.  Thanks!

Loral

0
 
Dark_KingCommented:
Don’t now if this is the right way, but test this.

But this bat file on a share folder that’s workstation user has right to read,
And then in policy set this same path (\\servername\sharename\login.bat)

Did you test any other policy like Display property or Control panel setting.
Just to see if some GPO while go out to your workstations.
0
 
Dark_KingCommented:
Try some simple GPO like disable “display settings”
0
 
loralAuthor Commented:
Hi again D.K.

Sorry I haven't been in here for a few days, but other duties called.

I'm printing that document you sent the link to now.  I should have some time this afternoon to try your other suggestions also.

Thanks!
Loral
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 14
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now