Log off script in GPO to check who logged off/restart/Shutdown the system. each time the logoff script runs need to get the logged in user name and the option they selected.

bsharath
bsharath used Ask the Experts™
on
Hi,

Log off script in GPO to check who logged off/restart/Shutdown the system. each time the logoff script runs need to get the logged in user name and the option they selected.

Script that i can use as a logoff script that records each machines logs in seperate txt files in a UNC.

can anyone help me with this.

regards
sharath
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hi there,
         You havent mentioned where you want to implement this script. But i guess it will be on servers? Anyhow, if thats the case you dont need any scripts. Depending on your requirement, you can use SCOM which collects events from machines and reports them back to a central DB. If you want a free solution, you can create a script which is triggered at logoff. But here you have to specify that you get data from eventlogs. The logon, logoff and shutdown information is added to the security log.
            Hope this points you in the right direction.

Author

Commented:
yes i need to collect for the servers
A script would be great...Can you help on it

Commented:
The easiest might be something like this.

Remember that the user is always logged off before shutdown.

Source:
http://community.spiceworks.com/scripts/show/70-track-login-and-logout


echo %username% logged OFF %computername% @ %time% %date% >> \\servername\sharename$\%username%.txt

Open in new window

Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Author

Commented:
This is what i use now. But needs to find who shut the server down /restart/Logged off. So i knopw which user shut it down.

Commented:
If you run this code right after the logoff, or out to different files for each host, you will get which user it was.

Just replace %username%.txt with %computername%
echo %username% logged OFF %computername% @ %time% %date% >> \\servername\sharename$\%computername%.txt
echo Shutdown @ %time% %date% >> \\servername\computers$\%computername%.txt

Open in new window

Author

Commented:
Can we get the difference as
username = restarted
username = Logoff
username = Shutdown
Which ever button was clicked

Commented:
I don't think you can do this by normal logoff and shutdown script.

Lets say you have logoff, shutdown, startup and logon scripts.

You might get a file for HOST like this:
1. bsharath logged off
2. HOST shut down
3. HOST start up
4. bsharath logged on
5. bsharath logged off
6. bsharath logged on
7. bsharath logged off
8. HOST shut down

Line 1 could be just a logoff, but after that the computer were also shutdown in line 2. In line 3 the copmuter started and this could be either a restart or cold boot. Line 4 indicates a logon, line 5 a logoff, but no shutdown because line 6 is a logon. Line 7 says logoff and line 8 a shutdown.

----------------------

Another option could be to see if you have anything in the event log for that host. You can get that information by script. If you filter your system log for USER32 you get some of these events.

You could also disable the shutdown button for your users and instead create a batch script with something like this:
echo %username% shutdown @ %time% %date% >> \\servername\computers$\%computername%.txt %windir%\System32\shutdown.exe -s

Author

Commented:
Thanks is there any way you know to disable Shutdown button alone and have the restart button enabled
Commented:
I am not aware of any options there, I am sorry.

The restart is actually a shutdown command without the power off switch.

You could maybe disable both shutdown and restart through GPO, though.
You find a lot of policies under "User Configuration\AdministrativeTemplates\Start Menu & Taskbar" for tasks like this.

You might find your answer among these links:
http://answers.yahoo.com/question/index?qid=20071221104722AAGUQrb

This is a cache of the original post. Google Chrome reported this as a site that were not safe, so be careful.
http://74.125.77.132/search?q=cache:5Pe8Okwt0cIJ:https://lists.aas.duke.edu/pipermail/ntgroup/2003-February/001107.html+disable+restart+option+gpo&cd=10&hl=en&ct=clnk

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial