SBS2003: How to record and monitor login information?


Does anyone know of a way to record/montior login history on a sbs2003 domain? I use untangle/ntop for web usage so that is not what I am after. ISA is not available either.

I am anticipating a query from the CEO asking for the times that people log on and off....

No VPN access, only local.

Thanks :D
Who is Participating?
Turn on security auditing, and it will show up in the security Event log.

I hope this helps !
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

girbotAuthor Commented:
The login script looks the most usable, I will have to look at it when I am back in the office tomorrow. Thanks so far...
girbotAuthor Commented:
Actually I need some help with the below (I've only used login scripts for network shares previously).

What log files is the script looking for, or do I manually create the log folders and change the address in the script to suit?

Security logging is running under event viewer...

If Exist "\\ServerName\Logs\LogOns.Log" GoTo START
Echo Log File > "\\ServerName\Temp\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,12%  %Time:~0,5% >> "\\ServerName\Temp\Logs\LogOns.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\ServerName\Temp\Logs\LogOns.Log"
Echo.  >> "\\ServerName\Temp\Logs\LogOns.Log"
girbotAuthor Commented:
Ok I am trying to use the vbs script below (taken from -, it runs and creates the .txt however nothing is written. All I get is a series of Windows Script Host Pop-ups saying either "NT AUTHORITY\SYSTEM should be equivalent to one of the defined users", as well as some users I have included in the script....

Any ideas?

Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
Dim strComputer, strFileName, objOutput, strFolder, strPath
Dim intEvent, intRecordNum, colLoggedEvents
Dim arrIDs
arrUsers = "DOMAIN\user1, DOMAIN\user2, DOMAIN\user3" 'lowercase for comparisons
arrIDs = Array("528", "540", "529", "531", "539", "530", "532", "535", "533")
strComputer = "."
strFileName = "\audituser" & Month(Date) & Day(Date) & Year(Date) & ".txt"
strFolder = "D:\Audituser\Logs"
strPath = strFolder & strFileName
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
  Set objFolder = objFSO.GetFolder(strFolder)
  Set objFolder = objFSO.CreateFolder(strFolder)
End If
If objFSO.FileExists(strFolder & strFileName) Then
  Set objFolder = objFSO.GetFolder(strFolder)
  Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
End If
Set objFile = Nothing
Set objFolder = Nothing
Set objOutput = objFSO.CreateTextFile(strPath, True)
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" _
  & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
For Each objItem In colLoggedEvents
  intId = Filter(arrIDs, objItem.EventCode)
  If UBound(intId) >= 0 Then
      wscript.echo objItem.User & " should be equivalent to one of the defined users"
      If InStr(arrUsers, lcase(objItem.User)) > 0 Then
        If UBound(intUser) >= 0 Then
            objOutput.WriteLine ("Category: " & objItem.Category _
              & " string " & objItem.CategoryString)
            objOutput.WriteLine ("ComputerName: " & objItem.ComputerName)
            objOutput.WriteLine ("Logfile: " & objItem.Logfile _
              & " source " & objItem.SourceName)
            objOutput.WriteLine ("EventCode: " & objItem.EventCode)
            objOutput.WriteLine ("EventType: " & objItem.EventType)
            objOutput.WriteLine ("Type: " & objItem.Type)
            objOutput.WriteLine ("User: " & objItem.User)
            objOutput.WriteLine ("Message: " & objItem.Message)
        End If
    End If
  End If

Open in new window

I would post this in the VBS scripting, as well as the MSDOS TAs for a better response since this is now a scripting issue.

I hope this helps !
girbotAuthor Commented:
Ok, thanks for pointing me in the right direction and your help previously.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.