[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


SBS2003: How to record and monitor login information?

Posted on 2008-11-18
Medium Priority
Last Modified: 2013-12-07

Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.

I am anticipating a query from the CEO asking for the times that people log on and off....

No VPN access, only local.

Thanks :D
Question by:girbot
  • 4
  • 4
LVL 63

Expert Comment

ID: 22986698
Turn on security auditing, and it will show up in the security Event log.

I hope this helps !
LVL 63

Expert Comment

ID: 22986738
LVL 63

Accepted Solution

SysExpert earned 750 total points
ID: 22986780
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22987499
The login script looks the most usable, I will have to look at it when I am back in the office tomorrow. Thanks so far...

Author Comment

ID: 22995401
Actually I need some help with the below (I've only used login scripts for network shares previously).

What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?

Security logging is running under event viewer...

If Exist "\\ServerName\Logs\LogOns.Log" GoTo START
Echo Log File > "\\ServerName\Temp\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\ServerName\Temp\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\ServerName\Temp\Logs\LogOns.Log"
Echo.  >> "\\ServerName\Temp\Logs\LogOns.Log"

Author Comment

ID: 23056640
Ok I am trying to use the vbs script below (taken from - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22127291.html), it runs and creates the .txt however nothing is written. All I get is a series of Windows Script Host Pop-ups saying either "NT AUTHORITY\SYSTEM should be equivalent to one of the defined users", as well as some users I have included in the script....

Any ideas?

Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
Dim strComputer, strFileName, objOutput, strFolder, strPath
Dim intEvent, intRecordNum, colLoggedEvents
Dim arrIDs
arrUsers = "DOMAIN\user1, DOMAIN\user2, DOMAIN\user3" 'lowercase for comparisons
arrIDs = Array("528", "540", "529", "531", "539", "530", "532", "535", "533")
strComputer = "."
strFileName = "\audituser" & Month(Date) & Day(Date) & Year(Date) & ".txt"
strFolder = "D:\Audituser\Logs"
strPath = strFolder & strFileName
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
  Set objFolder = objFSO.GetFolder(strFolder)
  Set objFolder = objFSO.CreateFolder(strFolder)
End If
If objFSO.FileExists(strFolder & strFileName) Then
  Set objFolder = objFSO.GetFolder(strFolder)
  Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
End If
Set objFile = Nothing
Set objFolder = Nothing
Set objOutput = objFSO.CreateTextFile(strPath, True)
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" _
  & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
For Each objItem In colLoggedEvents
  intId = Filter(arrIDs, objItem.EventCode)
  If UBound(intId) >= 0 Then
      wscript.echo objItem.User & " should be equivalent to one of the defined users"
      If InStr(arrUsers, lcase(objItem.User)) > 0 Then
        If UBound(intUser) >= 0 Then
            objOutput.WriteLine ("Category: " & objItem.Category _
              & " string " & objItem.CategoryString)
            objOutput.WriteLine ("ComputerName: " & objItem.ComputerName)
            objOutput.WriteLine ("Logfile: " & objItem.Logfile _
              & " source " & objItem.SourceName)
            objOutput.WriteLine ("EventCode: " & objItem.EventCode)
            objOutput.WriteLine ("EventType: " & objItem.EventType)
            objOutput.WriteLine ("Type: " & objItem.Type)
            objOutput.WriteLine ("User: " & objItem.User)
            objOutput.WriteLine ("Message: " & objItem.Message)
        End If
    End If
  End If

Open in new window

LVL 63

Expert Comment

ID: 23057320
I would post this in the VBS scripting, as well as the MSDOS TAs for a better response since this is now a scripting issue.

I hope this helps !

Author Comment

ID: 23067338
Ok, thanks for pointing me in the right direction and your help previously.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month19 days, left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question