?
Solved

User Logon / Logoff Time Report - id:23252426

Posted on 2009-05-01
11
Medium Priority
?
663 Views
Last Modified: 2012-05-06
I tried this User Logon/Logoff Time Report and it works great. My only problems are in the log file it creates:
Problem 1: Some logons show duplicated entries and some do not in the log file.
Problem 2: On the client pc a DOS box opens when this is run and says "Program too big to fit in memory"
Problem 3: The log file is automatically deleted after it grows past 1.3MB
Any suggestion to resolve any of these problems?
0
Comment
Question by:ei00004
  • 6
  • 5
11 Comments
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24288630
How are you reporting on logons and logoffs?

Problem 1 Without knowing what you are using to report on logons and logoffs this is difficult to track down. There are different kinds of logons and logoffs however. For example, a client may log onto a server multiple times if they are accessing files on a shared folder on a server versus logging onto a workstation once. Additionally, if you have multiple domain controllers in your domain, you should be aware that a logon event would occur only on the domain controller that the client is currently authenticating to.

Problem 2 suggests that you may be using a custom script or software package to track logons and logoffs. This should be brought to the attention of the software vendor or entered as a separate question in which you can post code or specify a certain software package.

Problem 3: you can change the event logs to either overwrite events as needed or just increase the log file size. You can do this by going to properties of the specific event log or if you have multiple computers in a domain you can change this by using a group policy
0
 

Author Comment

by:ei00004
ID: 24305499
Sorry for the confusion, I'm actually using this script associated with EE id:23252426. It allows you to produce a logon / logoff report of all users on the network by allowing you to add the lines below to each users logon and log off script to create a log file. It would give you UserName, ComputerName, date and time, in a simple single line, followed by the IP from which they connected, if needed. If you wish to know logoff times as well, you can add the same lines to a log off script in group policy: User Configuration | Windows settings | Scripts | Logoff).
I created the GPO as suggested above and entered the script below using my server names.

:Logging
If Exist "\\Server\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\Logs\LogOns.Log"
:START
Echo. >> "\\Server\Logs\LogOns.Log"
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,16% %Time:~0,5% >> "\\Server\Logs\LogOns.Log"
netstat -an |find "3389" |find /I "established" >> "\\Server\Logs\LogOns.Log"

It suppose to create a log file in \\Server\Logs\LogOns.Log and the entries should look like this:
Log File
Log On: jdoe SERVER1 Tue 1/1/2007 9:01
TCP 10.0.1.100:3389 66.66.123.123:1234 ESTABLISHED
Log Off: jdoe SERVER1 Tue 1/1/2007 9:31
Log On: jsmith SERVER2 Tue 1/1/2007 11:00
TCP 10.0.1.200:3389 66.66.123.124:1234 ESTABLISHED
Log Off: jsmith SERVER1 Tue 1/1/2007 11:30

Problem 1: However they actually look like this, double entries on Log On:
Log On: swilliam DCSO2427 Tue 05/05/2009 9:36
Log On: swilliam DCSO2427 Tue 05/05/2009 9:36
Log On: tehunter DCSO2432 Tue 05/05/2009 9:38
Log On: tehunter DCSO2432 Tue 05/05/2009 9:38
Log On: JRDAVIS DCSOL20159 Tue 05/05/2009 9:39
Log On: grodgers DCSO19146 Tue 05/05/2009 9:40
Log On: grodgers DCSO19146 Tue 05/05/2009 9:40

Problem 2: On the client pc a DOS box opens when the above script is run that says "Program too big to fit in memory"
Executes to quickly to capture screen image for display here. I will check the event viewer on the client pc to see if it tells me more info on this.
Problem 3:  The created log file "LogOns.Log", not the "event log" is automatically deleted after it grows past 1.3MB. I can live with the doubled output in the logfile but not with it being deleted.                                         \\Server\Logs\LogOns.Log
 
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24311000
How about turning on file auditing to see who/what is deleting the file?

Also, are you sure you didnt put the script in the group policy twice or maybe in 2 separate group policies both assigned to the users? I am running the script and it correctly puts one line per logon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 17

Expert Comment

by:OriNetworks
ID: 24311005
Just so we're on the same page here, this is a batch file correct?
0
 

Author Comment

by:ei00004
ID: 24314719

Yes this is a batch file that runs in a GPO. I created two batch files, "LogonReport.bat" and "LogoffReport.bat" in one GPO. LogonReport.bat captures logons to "LogOns.log" text file and "LogoffReport.bat" captures logoffs to LogOffs.log text file.
 
LogonReport.bat
Rem: Records Data and Time when users log onto the network
:Logging
If Exist "\\Server\shared$\test\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\shared$\test\Logs\LogOns.Log"
:START
rem Echo. >> "\\Server\shared$\test\Logs\LogOns.Log"
Echo Log On:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\shared$\test\Logs\LogOns.Log"
netstat  -an | find "3389" | find  /I "established"  >> "\\Server\shared$\test\Logs\LogOns.Log"
 
 
LogoffReport.bat
REM: Records Data and Time when users logoff the network
:Logging
If Exist "\\Server\shared$\test\Logs\LogOns.Log" GoTo START
Echo Log File > "\\Server\shared$\test\Logs\LogOff.Log"
:START
Rem: Echo. >> "\\Server\shared$\test\Logs\LogOff.Log"
Echo Log Off:  %USERNAME% %COMPUTERNAME%  %Date:~0,16%  %Time:~0,5% >> "\\Server\shared$\test\Logs\LogOff.Log"
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\shared$\test\Logs\LogOff.Log"
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24317632
Can you also verify that it is only applied to the user section of the gpo?
0
 

Author Comment

by:ei00004
ID: 24318845
Please see the attached screen shot showing it is only applied to the User's section of the GPO.
 

LogOnOff-GPO.JPG
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24321808
OK that was just a wild guess. If you disable the GPO, does it completely stop entering lines in the log?

Other than this im out of guesses at this point.
0
 

Author Comment

by:ei00004
ID: 24329839
Yes, when i disable the GPO it does complete stop entering lines in the log, good test though.
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 1000 total points
ID: 24331960
Try commenting out the last line of the batch file starting with netstat.

Change
netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\shared$\test\Logs\LogOff.Log"

TO

REM netstat  -an  |find  "3389"  |find  /I  "established"  >> "\\Server\shared$\test\Logs\LogOff.Log"

Let us know what happens.
0
 

Accepted Solution

by:
ei00004 earned 0 total points
ID: 24398234

Actually the Netstat line was commented out, I uncommented it to see if it makes a difference. I've also tried adding ":EXIT" to close the batch file each time it finishes. Still getting "Program too big to fit in memory" and the log file is then started over.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question