SBS2003: How to record and monitor login information?

Posted on 2008-11-18
Last Modified: 2013-12-07

Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.

I am anticipating a query from the CEO asking for the times that people log on and off....

No VPN access, only local.

Thanks :D
Question by:girbot
    LVL 63

    Expert Comment

    Turn on security auditing, and it will show up in the security Event log.

    I hope this helps !
    LVL 63

    Expert Comment

    LVL 63

    Accepted Solution


    Author Comment

    The login script looks the most usable, I will have to look at it when I am back in the office tomorrow. Thanks so far...

    Author Comment

    Actually I need some help with the below (I've only used login scripts for network shares previously).

    What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?

    Security logging is running under event viewer...

    If Exist "\\ServerName\Logs\LogOns.Log" GoTo START
    Echo Log File > "\\ServerName\Temp\Logs\LogOns.Log"
    Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\ServerName\Temp\Logs\LogOns.Log"
    netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\ServerName\Temp\Logs\LogOns.Log"
    Echo.  >> "\\ServerName\Temp\Logs\LogOns.Log"

    Author Comment

    Ok I am trying to use the vbs script below (taken from -, it runs and creates the .txt however nothing is written. All I get is a series of Windows Script Host Pop-ups saying either "NT AUTHORITY\SYSTEM should be equivalent to one of the defined users", as well as some users I have included in the script....

    Any ideas?

    Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
    Dim strComputer, strFileName, objOutput, strFolder, strPath
    Dim intEvent, intRecordNum, colLoggedEvents
    Dim arrIDs
    arrUsers = "DOMAIN\user1, DOMAIN\user2, DOMAIN\user3" 'lowercase for comparisons
    arrIDs = Array("528", "540", "529", "531", "539", "530", "532", "535", "533")
    strComputer = "."
    strFileName = "\audituser" & Month(Date) & Day(Date) & Year(Date) & ".txt"
    strFolder = "D:\Audituser\Logs"
    strPath = strFolder & strFileName
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    If objFSO.FolderExists(strFolder) Then
      Set objFolder = objFSO.GetFolder(strFolder)
      Set objFolder = objFSO.CreateFolder(strFolder)
    End If
    If objFSO.FileExists(strFolder & strFileName) Then
      Set objFolder = objFSO.GetFolder(strFolder)
      Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
    End If
    Set objFile = Nothing
    Set objFolder = Nothing
    Set objOutput = objFSO.CreateTextFile(strPath, True)
    Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" _
      & strComputer & "\root\cimv2")
    Set colLoggedEvents = objWMI.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
    For Each objItem In colLoggedEvents
      intId = Filter(arrIDs, objItem.EventCode)
      If UBound(intId) >= 0 Then
          wscript.echo objItem.User & " should be equivalent to one of the defined users"
          If InStr(arrUsers, lcase(objItem.User)) > 0 Then
            If UBound(intUser) >= 0 Then
                objOutput.WriteLine ("Category: " & objItem.Category _
                  & " string " & objItem.CategoryString)
                objOutput.WriteLine ("ComputerName: " & objItem.ComputerName)
                objOutput.WriteLine ("Logfile: " & objItem.Logfile _
                  & " source " & objItem.SourceName)
                objOutput.WriteLine ("EventCode: " & objItem.EventCode)
                objOutput.WriteLine ("EventType: " & objItem.EventType)
                objOutput.WriteLine ("Type: " & objItem.Type)
                objOutput.WriteLine ("User: " & objItem.User)
                objOutput.WriteLine ("Message: " & objItem.Message)
            End If
        End If
      End If

    Open in new window

    LVL 63

    Expert Comment

    I would post this in the VBS scripting, as well as the MSDOS TAs for a better response since this is now a scripting issue.

    I hope this helps !

    Author Comment

    Ok, thanks for pointing me in the right direction and your help previously.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now